[unisog] antivirus that works despite ssl

power less absolutelynopower at gmail.com
Sun Jul 8 16:36:39 GMT 2007


I'm surprised that people don't seem to believe that there are no-click web
exploits. That seems to have a lot to do one's attitude about how proactive
a security system should be. Altho not everyone eg  myself believes that a
virus that had to have a click to get in is a virus promoting vehicle that
we want to get that far. (In the most recent storm worm messages I've gotten
it
invites the recipient to put the evil url in the browse vs click on it per
se.

 There have been a lot of click-free exploits historically often involving
javascript or some application that is executed automatically, particularly
some kind of multimedia thing.
eg:
http://www.kb.cert.org/vuls/id/191609
http://www.us-cert.gov/cas/techalerts/TA07-005A.html
Maybe this seems a lot more believable to me because I personally use
windows a lot and do windows support so I know what the real world
university employee's computer looks like. Many vulnerable addins were
installed before the era of autoupdating so require the user to do something
unique to that product to update it. Even with the current autoupdating
applications, there is a problem with each one requiring rebooting the
entire machine. (windows update, itunes, anything adobe, etc). That makes
for a real weak link because what is the state when the update was installed
but the machine was not rebooted? I  personally observe day in and day out
email and browser programs autorunning video and other applications.

But the heck with history let's look at something very recent:
http://www.kb.cert.org/vuls/id/810073

There's a bunch of vulnerabilities that don't sound like they require
clicks:
http://www.kb.cert.org/vuls/id/770904
http://www.kb.cert.org/vuls/id/457281
http://www.kb.cert.org/vuls/id/507433

This following issue requires accessing a url (who would think one could get
attacked by an ssl certificate? That's just sad! :-) I certainly hope this
doesn't mean one could be attacked by s/mime signed emails!
http://www.kb.cert.org/vuls/id/810073

I'd like to see an antivirus system that has the effect as if it were
implemented this way:
the browser, email program, messenger whatever programs that would execute
the content as
html and associated protocols  (post decryption) hands the content to a
safety analyzer "extension/plugin" whatever terminology works in that
context, which is not necessarily solely signature based. It has the ability
to check for embedded protocol violations and has a step to execute
user-defined checks. So the institution could push check algorithms to the
client if neccessary.

so yes I guess I want a "safety-enhancing" proxy. (I'm staying away from the
word antivirus now. That seems to imply to a lot of  people that there is A
VIRUS, or there isn't. Nothing less than that is a non-issue for them
apparently. Whereas I'd go for looking at anything about it that could be
id'd as leading to an exploit, sender's ip, domain names, ip's in urls, text
patterns associated with recent viri....)  Actually I see there is an
on-machine free ssl-capable proxy fiddler2:
http://www.fiddler2.com/Fiddler2/
but I've not figured out if this can do anything for firefox and thunderbird
in terms
of enticing the file-fixated legacy antivirus program into action.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20070708/d5db4185/attachment.htm 


More information about the unisog mailing list