A
Ant
Guest
"David Kaye" wrote:
> What I'm getting at is that I use the best of off the shelf freebie programs
> my customers would tend to download. As for updates, typically when I first
> see them they have default Windows services turned on, so that they are up to
> date on Windows updates,
What about non-MS updates?
> I'm using IE8 Version 8.0.6001.18702.
That should be reasonably safe, hence the importance of checking 3rd
party (non-MS) plugins and helper apps.
> I know you mean well, but believe me, I already know about this stuff.
I appreciate you have some clue and that's why I'm interested in how
you got infected. If all your software was fully updated this drive-by
infection should not have happened. If it was a new vulnerability, AKA
a zero-day exploit, then I'm particularly interested in knowing what
it was.
When executable code runs via an exploit like a buffer overflow and
code injection there's no guarantee that an otherwise securely
configured OS can spot it. DEP (data execution prevention) can help
prevent this kind of attack if available for the machine.
> I noted the file date/time and have looked back on this.
As I said, you need to examine the cached files to have any hope of
finding the exploit. Of course, you will need to have an understanding
of file formats and know what to look for.
> The exploit appears
> to have come from foxnews, officedepot, or officemax -- the time stamps are
> within a few seconds of each other and show up right before the time stamp
> that was written to the temp directory in my documents and settings tree.
You see, my probing has caused you to give more information which then
prompted someone else to reply with a link to a forum about the Faux
News site infection. Although that discussion is a year old, the
problem of legitimate sites serving up malware through adverts or
hacked servers is still a real one. It appears those exploits were via
buggy ActiveX controls which have all now been patched.
>>More important is to find the vulnerable software component that
>>allowed it to run.
>
> Yes. Also, since I was able to get this infection I suspect that I'll be
> getting frantic calls this coming week from others. I'm getting tempted to
> set people up as limited users, even though that creates headaches in itself
> (such as the inability to run QuickBooks properly, which I mentioned before).
You should at least disallow the automatic running of PDFs, look at
tightening browser security settings, and perhaps change the browser
to Firefox or Opera if they are not using IE 8. XP's default settings
are no longer sufficient.
> What I'm getting at is that I use the best of off the shelf freebie programs
> my customers would tend to download. As for updates, typically when I first
> see them they have default Windows services turned on, so that they are up to
> date on Windows updates,
What about non-MS updates?
> I'm using IE8 Version 8.0.6001.18702.
That should be reasonably safe, hence the importance of checking 3rd
party (non-MS) plugins and helper apps.
> I know you mean well, but believe me, I already know about this stuff.
I appreciate you have some clue and that's why I'm interested in how
you got infected. If all your software was fully updated this drive-by
infection should not have happened. If it was a new vulnerability, AKA
a zero-day exploit, then I'm particularly interested in knowing what
it was.
When executable code runs via an exploit like a buffer overflow and
code injection there's no guarantee that an otherwise securely
configured OS can spot it. DEP (data execution prevention) can help
prevent this kind of attack if available for the machine.
> I noted the file date/time and have looked back on this.
As I said, you need to examine the cached files to have any hope of
finding the exploit. Of course, you will need to have an understanding
of file formats and know what to look for.
> The exploit appears
> to have come from foxnews, officedepot, or officemax -- the time stamps are
> within a few seconds of each other and show up right before the time stamp
> that was written to the temp directory in my documents and settings tree.
You see, my probing has caused you to give more information which then
prompted someone else to reply with a link to a forum about the Faux
News site infection. Although that discussion is a year old, the
problem of legitimate sites serving up malware through adverts or
hacked servers is still a real one. It appears those exploits were via
buggy ActiveX controls which have all now been patched.
>>More important is to find the vulnerable software component that
>>allowed it to run.
>
> Yes. Also, since I was able to get this infection I suspect that I'll be
> getting frantic calls this coming week from others. I'm getting tempted to
> set people up as limited users, even though that creates headaches in itself
> (such as the inability to run QuickBooks properly, which I mentioned before).
You should at least disallow the automatic running of PDFs, look at
tightening browser security settings, and perhaps change the browser
to Firefox or Opera if they are not using IE 8. XP's default settings
are no longer sufficient.
