Eleven days ago Microsoft did a disclosure on the MS09-002. Seven days later we already had a proof of concept that was used in the wild, and today having even the Metasploit exploit.

Eleven days have passed, did you patch the vulnerability? Most of the users will not have it patched too soon, even if it comes with the automatic updates. Many just simply have automatic updates turned off. Even so, there are some patches which take a long time to be released, for example the MS08-078 patch did take a while to be released.

And here comes in Exploit Shield an application which will protect your from browser based exploits (either IE or Firefox), but don’t over trust it, as soon as a patch comes out you should fix the vulnerability.

Exploit Shield is designed to shield Web browsers between the development of an exploit and the release of the vendor’s patch.

Exploit Shield posses the following functionality: Zero Day Defense, Patch-Equivalent Protection, Proactive Measures, Protects Against All Websites and Automatic Feedback.

But does it work? Of course it does, check out the detection of a MS09-002 based exploit which was catched by the heuristics incorporated in the software.

It’s also a program that would be useful when researching/coding such exploits, although the automatic submission should be disabled in that case (*grin*).

If you haven’t got it yet, you can download it from here.

The anwser isn’t that simple. Based on the amount of data that could have been leached from the websites (mentioned above) F-Secure looks the trust worthiest. Why F-Secure? Because given their defense-in-depth methodology no sensitive data could have been retrieved, just ordinary data that you may see on other several public pages.

As from any other attack scenario, there is something to be learned. In this case F-Secure and their methodology gave us the lesson. You should never, and I repet never, grant access to important data to a user which interacts with a visitor (in this case, a mysql database user). You will lower the threat by creating different users for different tasks.

Also, I won’t go in complaining about the SQL injections, even if I should, because it’s nothing uncommon. When you have a team of developers which constantly add/remove components and which haven’t got a secure coding methodology (some might sanitize the data on request, others before the usage) SQL injection vulnerabilities (XSS vulnerabilities) will iminently pop up. I said I won’t complain about the vulnerability, but given the fact that they are in the security industry (and not some unknown players) you would expect more…

Another “debate” I’ve seen was based on Acunetix article which mentioned that Unu found the vulnerability in Kaspersky’s website via their scanner. Even if true, we all know that Acunetix Scanner isn’t always enough to catch all the vulnerabilities (as Unu declared also), and no such scanner can. People generally use Acunetix Scanner for a quick and dirty PRELIMINARY scan.

Enough said.

Contrary to some industry observers, antivirus software is not dead. It is, however, undergoing a game-changing transformation.

Here should be noted that by game-changing the author (Carey Nachenberg) is really saying that the antivirus software will be “antivirus” software only by name.

What do I mean by that? To tell you honestly I think that the VX (Virus eXchange) scene is dying slowly and only a couple, or should I say handful, of viruses/worms emerge annually. Without the virus creators, there should be no future for AV, right? Wrong!

AV software for many years detects Malware (Spyware, Trojan, RAT, Rootkits?) and if it were not for the strong impact of the word Virus I would be really sure they would be called Anti-Malware.

By some measurements, the volume of malicious software is now outpacing the production of legitimate programs. Symantec recently measured the adoption rate of new software
applications and found that out of almost 55,000 unique applications deployed during a weeklong measurement period on Microsoft Windows PCs, 65 percent were malicious.

This proves the fact that nowadays Malware do the harm, not viruses. I know some of you knew that, but it had to be said for those who didn’t.

(…) attackers can easily circumvent most generic signatures by tweaking existing malware files, scanning them with an antivirus scanner, and repeating the process until the scanner no longer detects the infection. Such modifications can be
done by hand or, unfortunately, all too easily via automation.

That doesn’t sound so new, it reminds me of the first tutorial I read about making viruses undetectable. And it’s not a new either, it’s a tutorial that dates as back as 1991, called How To Modify A Virus So SCAN Won’t Catch It.

Clearly, in such an environment, traditional signature-based detection – or blacklisting – alone is not enough.

You don’t say… What about heuristics, it’s been around for more than a decade, and great things can be done with it. I have in mind an AV program that implemented it quite well, but I don’t want to make from this article a promotive one.

As the volume of malicious code continues to skyrocket, security techniques must increasingly focus less on analyzing malware and more on analyzing “goodware.”

Whitelisting was, and is, always a better choice, in my opinion, than blacklisting.

Similarly, it!s difficult for security companies to locate less
popular, yet entirely legitimate, software applications and add them to a whitelist. Imagine a small software vendor that caters to just a handful of customers. What are the odds that this vendor!s software will be discovered and added to a whitelist in a timely fashion?

About the same as winning the lottery.

Perhaps the greatest benefit of a hybrid approach is that it would finally return the burden of antivirus protection from the shoulders of weary customers back to security vendors

Perhaps…