Microsoft EMETv2 released

Published: 2010-09-02
Last Updated: 2010-09-02 19:00:45 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)

Today, Microsoft released a new version of their "Enhanced Mitigation Experience Toolkit".  A rather unwieldy name, but quite interesting technology - with EMET, legacy applications on OS versions as far back as WindowsXP can now also be protected with Data Execution Prevention (DEP), Exception Handler Overwrite Protection (SEHOP) and more, and the application doesn't even have to be DEP-aware.  If you have vulnerable legacy apps on Windows that you need to keep alive for a little while longer, I suggest to take a look at EMETv2.

Keywords: Microsoft
0 comment(s)

SDF, please!

Published: 2010-09-02
Last Updated: 2010-09-02 00:50:00 UTC
by Daniel Wesemann (Version: 1)
19 comment(s)

"We're under a targeted malware attack!", a friend of mine yelled into the phone. "We are getting lots of oddly named PDFs, attached to personalized emails, sent only to certain employees in our firm!". From some past experience with chewing through our nasty malware repository here at SANS ISC, I had learned a thing or two about malicious PDFs, so I agreed to take a look.

One hour later, it was clear that the PDFs in this case were free of any exploit, completely harmless, and contained only the average "I AM A COUSIN OF THE LATE ZESKEKE NGAGWENE" type of Nigerian 419 (advance-fee) fraud spam.

But the whole episode gave me pause. It really looks like the past two years of never ending new waves of PDF exploits have degraded PDF in the mind of every security analyst to a level somewhere at par with ANI and SCR files: No matter what it claims to be, it ain't nothing good.

I very much agree with Stephen Northcutt's comment in SANS Newsbites two months ago. He asked: "Is there an alternative to a .pdf? It was supposed to be a printable image of what you saw on the screen. At least that was the idea 15 years ago. It should not need "launch" functions to do that. Do you remember five or six years ago, you weren't supposed to send an excel spreadsheet or a word document because they might contain malware, you were supposed to send a .pdf. Guess that has changed!"

Time for SDF - the Safe Document Format. You know, one that just supports pixels in various shades of gray, and does not need to include the ability to play a movie in 3D accompanied by surround sound. Just a nice plain document that can be opened, read and printed, without any of the nagging feeling of dread that nowadays accompanies clicking on a PDF.

Anyone?

 

Keywords: pdf PDF exploit
19 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives