Guest Tempus

Warning: Internet Explorer Zero Day / exploit

Recommended Posts

Guest Tempus

Am I right in the assumption, that a behaviour blocker will never directly protect against "exploitation", like e.g. the one you hat described in Emsisoft Blog. But on the other hand, then will the behaviour blocker indirectly protect against the payload dropped from a website, or when the payload is tried executed. Is it not actually the only way a behavior blocker can protect an user against exploits? I ask because I have a hard time to see how it is possible to create a rule for the behaviour blocker that could protect against such or all exploits. Just asking, because I would like to understand the good zero day tool in Emsisoft anti malware better.

 

Thanks

 

Jan

 

Share this post


Link to post
Share on other sites

I am working on various extended rules to detect behavior that could indicate that a known good process fell victim to a security exploit. That being said, there is no ETA yet.

Share this post


Link to post
Share on other sites
Guest Tempus

I am working on various extended rules to detect behavior that could indicate that a known good process fell victim to a security exploit. That being said, there is no ETA yet.

Hi

 

It sound as an exciting project. Will look forward to see what you have in mind. Thanks for letting me/us know.

Share this post


Link to post
Share on other sites

Although not answerin

 

Am I right in the assumption, that a behaviour blocker will never directly protect against "exploitation", like e.g. the one you hat described in Emsisoft Blog. But on the other hand, then will the behaviour blocker indirectly protect against the payload dropped from a website, or when the payload is tried executed. Is it not actually the only way a behavior blocker can protect an user against exploits? I ask because I have a hard time to see how it is possible to create a rule for the behaviour blocker that could protect against such or all exploits. Just asking, because I would like to understand the good zero day tool in Emsisoft anti malware better.

 

Thanks

 

Jan

 

Although not answering your question about EAM...

 

Microsoft´s Enhanced Mitigation Experience Toolkit  (EMET) v4.1 blocks the latest 0-day exploit in Internet Explorer CVE-2014-1776 (from 2014-04-26)

 

https://technet.microsoft.com/en-US/library/security/2963983

 

http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html

 

EMET: http://support.microsoft.com/kb/2458544

Share this post


Link to post
Share on other sites
Guest Tempus

Thanks hackerman1 for the links, appreciate that you found time to post them (I especially liked the article from " Fireeye") . It is nice to see that EMET, the mitigation tool, is doing its job(and the Enhanced protection mode, EPM). I truly think that EMET it's a nice addition to any security setup, and will supplement all primary protection setups, in a clever way.

Share this post


Link to post
Share on other sites

This current exploit is actually Abode Flash Player based. Whereas EMET 4.1 might be able to detect the exploit if your running the plug-in version of Flash Player, I have strong doubts that it will detect it if your using the stand alone version of Flash Player like I am.

 

See my posting titled "Something Strange Going on In IE10" date 4/13/2014. I have strong suspicions that I got partially nailed by this new exploit bugger a couple of weeks ago and at least EAM behavior blocker altered me to suspicious changes occurring to IE10. I received zip alerts from EMET 4.1 although I do have the stand-alone Flash Player defined under EMET 4.1 with all mitigations enabled.  

 

I am running the stand alone version of Flash Player since the people in the know stated it was more secure than the plug-in version. So much from the advice by those "turkeys."

Share this post


Link to post
Share on other sites

This current exploit is actually Abode Flash Player based. Whereas EMET 4.1 might be able to detect the exploit if your running the plug-in version of Flash Player, I have strong doubts that it will detect it if your using the stand alone version of Flash Player like I am.

 

See my posting titled "Something Strange Going on In IE10" date 4/13/2014. I have strong suspicions that I got partially nailed by this new exploit bugger a couple of weeks ago and at least EAM behavior blocker altered me to suspicious changes occurring to IE10. I received zip alerts from EMET 4.1 although I do have the stand-alone Flash Player defined under EMET 4.1 with all mitigations enabled.  

 

I am running the stand alone version of Flash Player since the people in the know stated it was more secure than the plug-in version. So much from the advice by those "turkeys."

Thinking about this a bit more, it is possible the EAM behavior blocker intercepted the exploit prior to EMET recognizing it. The problem here is the cloud check for the behavior blocker allowed the activity thereby possibly masking the activity to EMET?

Share this post


Link to post
Share on other sites

Closing out this thread, looks like I "shot myself in the foot" so to speak in regards to EMET and Flash Player.

Yes, I did have and previously had always defined an app rule for FlashUtil32_xx_x_x_xxx_ActiveX.exe since I installed EMET some time ago. BTW - this is, as the "32" implies, the 32bit ActiveX version. This resides in the SysWOW64 Windows sub-directory in WIN 7. However, I was running the 32 bit version of IE9 at the time.

A few months back, I upgraded to IE10 which is 64 bit by default. Totally forgot about setting up an EMET app rule for FlashUtil64_xx_x_x_xxx_ActiveX.exe, the 64 bit version of Flash Player that resides in the System32 Windows sub-directory in WIN 7.

At least in this instance, EAM behavior blocker did notify me of something amiss in IE10 although it did eventually allowed the activity.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.