Page 1 of 1

Orca security question

Posted: Tue Jan 03, 2006 2:34 pm
by jscnbach
I just noticed many security software do not directly protect Orca. SpywareBlaster protects IE and Firefox. Spybot TeaTimer protects IE (and Firefox?). Etc.
I am wondering, since Orca uses the same engine as Firefox, is it automatically protected? If no, then aren't we at higher risk using Orca than IE or firefox users?

Posted: Tue Jan 03, 2006 3:57 pm
by abfan123
Actually,Any good security software should protect your computer in general and won't allow any malware to enter/run on your computer.
If you're running a good security software then it doesn't really matter what's your web browser.It should protect it anyway.

Posted: Tue Jan 03, 2006 5:22 pm
by KY Dave
abfan123 wrote:Actually,Any good security software should protect your computer in general and won't allow any malware to enter/run on your computer.
If you're running a good security software then it doesn't really matter what's your web browser.It should protect it anyway.
It doesn't!

Nothing protects against the current ZERO DAY Exploit in WINDOWS META FILES (wmf).

Posted: Tue Jan 03, 2006 5:37 pm
by ytsmabeer
Don't press OK, now you're protected

Posted: Tue Jan 03, 2006 5:57 pm
by abfan123
WebGuy wrote:
abfan123 wrote:Actually,Any good security software should protect your computer in general and won't allow any malware to enter/run on your computer.
If you're running a good security software then it doesn't really matter what's your web browser.It should protect it anyway.
It doesn't!

Nothing protects against the current ZERO DAY Exploit in WINDOWS META FILES (wmf).
Send me a link to it please by a PM. (I've looked for a working exploit really long all over the net but couldn't find any. :cry: )

Posted: Tue Jan 03, 2006 5:58 pm
by KY Dave
ytsmabeer wrote:Don't press OK, now you're protected
There are NO warnings, questions to answer or anything.

It automatically opens WINDOWS PICTURE/FAX VIEWER and then tries to contact the internet. In the split second it takes for this to happen, a program is already placed on the PC. It is a downloader or dropper.

There is NOTHING to choose, NOT OK, NOT YES, nothing at all.

I have SPYBOT S/D, WINDOWS SPYWARE, ZONEALARM, SYSTEMS MECHANIC, AVG, BIT DEFENDER and none of those stopped it. ZoneAlarm did prevent it from contacting the internet and downloading more crap, but the dropper was on the system as soon as I hit the webpage.
abfan123 wrote: Send me a link to it please by a PM. (I've looked for a working exploit really long all over the net but couldn't find any. :cry: )
Sorry, but I can't. It was on FREEPOPS.ORG site for a day, I reported it to them, they removed it. A day later it was back, they removed it and had to change their forum software to keep the hacker from placing it on their forum again.

Posted: Tue Jan 03, 2006 6:04 pm
by ytsmabeer
Well thank you Opera because i came accoss .wmf twice today and it just askes a question.

Do FF en IE ask for something?

Posted: Tue Jan 03, 2006 6:12 pm
by abfan123
Well,
I've found some wmf that claimed to be an exploit.
But my anti virus blocked it immediately. (Yes,I like to mess with all kind of exploits on my old PC,Lol.)

Posted: Tue Jan 03, 2006 6:13 pm
by KY Dave
ytsmabeer wrote:Well thank you Opera because i came accoss .wmf twice today and it just askes a question.

Do FF en IE ask for something?
IE does NOT ask, I don't know about FF.

Users should scan their systems. If I didn't have ZoneAlarm I doubt I would have even noticed it. It opened and closed the Win Fax Viewer for a split second and that was the only warning I had except for ZoneAlarm.

Users could already be infected if they don't have a FIREWALL that blocks OUTGOING TRAFFIC. Windows FIREWALL would be USELESS against this exploit.

Search for "a.exe" and a similar name (a.123456.exe.pf) in the Windows prefetch. At least those are the files dropped on my system.

Posted: Tue Jan 03, 2006 7:39 pm
by mutterer
Steve Gibson has a link to a patch on grc.com which he claims will protect W2K and up.
I quote:

"Ilfak Guilfanov (see GREEN box below) produced a highly-effective true patch which successfully suppresses all known exploitable vulnerabilities for anyone using Windows 2000, XP, server 2003, or 64-bit XP. No patch is available for Windows 95, 98, ME or NT, and none is expected to be forthcoming. But anyone using Windows 2000, XP, server 2003, or 64-bit XP should IMMEDIATELY install Ilfak's exploit suppressor into all of their systems."

and

"Windows 98/SE/ME users: Microsoft's original advice to "unregister the shimgvw.dll" (shell image viewer) was never correct or useful on those platforms. The good news is that all current WMF exploits appear to be non-functional on the older Win9x vintage platforms . . . so you will likely be okay until Microsoft has updated your system with the next security patches. There is no short-term workaround for Windows 9x users."

He is right, I tried the MS workaround on my 98SE system 2 days ago, it told me to get lost.

http://www.grc.com/sn/notes-020.htm

Posted: Tue Jan 03, 2006 11:36 pm
by jscnbach
No response seem to touch my original subject. Do TeaTimer or SpywareBlaster protect Orca like they do for IE and FF? If not, what do?

Posted: Wed Jan 04, 2006 12:21 am
by bigC
jscnbach wrote:Do TeaTimer or SpywareBlaster protect Orca?
Teatimer I believe protects the registry so that should still work if I'm not mistaken. As for SpywareBlaster, that doesn't appear to be protecting Orca. But if you have Firefox installed, you can copy the hostperm.1 file in your firefox profile and place it in your Orca profile. Hostperm contains all the blocked sites spyblaster adds to firefox... moving that file into Orca should effectively block those nasty cookies in OB as well

Posted: Wed Jan 04, 2006 12:50 am
by KY Dave
Current WMF exploit detection by AV scanners as of January 1, 2006

AV-Test, an independent test lab that tracks malware and anti-malware products, has been closely tracking detection of exploits based on the WMF flaw. Below are current numbers as of the morning of January 1, 2006, based on 73 different variants of the threat.

Detection Product(s)
  • 73 out of 73 AntiVir, Avast!, BitDefender, ClamAV, Command, Dr Web, eSafe, eTrust-INO, eTrust-VET, Ewido, F-Secure, Fortinet, Kaspersky, McAfee, Nod32, Norman, Panda, Sophos, Symantec, Trend Micro, VirusBuster
  • 67 out of 73 Ikarus, VBA32
  • 54 out of 73 F-Prot
  • 13 out of 73 AVG
  • 11 out of 73 QuickHeal
ABC New article

Posted: Wed Feb 01, 2006 8:52 pm
by TekNoir
SpywareBlaster doesn't actually "protect" Firefox. It simply prevents certain ad/tracking cookies from being saved in Firefox's cache. It does nothing more than this for Firefox. Most of SpywareBlaster's functionality was intended for Internet Explorer users where it prevents attacks from malicious ActiveX installation as well as preventing the aforementioned cookies.

Advertising/tracking cookies really aren't that big of a deal in my opinion, except for the minimal amount of space that they require on today's massive hard-drives. They simply record which ads you've already looked upon and which ones that you've clicked upon so that they can better tailor what you see. No personal information is stored. You're merely a number, another potential sell, to them. I actively block most advertisements no matter which browser I use, so for me it is a moot point.

It's the ActiveX that you need to worry about. This is where you get nearly all of your spyware and your adware while browsing the internet. These are basically mini-programs, originally intended to add or enhance functionality for Windows Explorer and the Internet Explorer browser, which miscreants have found a way to exploit. These programs can potentially be installed without your knowledge (though service pack two for windows XP was a huge step forward in preventing that) and then they can manipulate things on your system, download adware, keyloggers, or worse, and generally party however they want while remaining relatively hidden.

It should be noted that for those who don't frequent pornographic websites or other shady sites, the largest source of virus/spyware infection is through opening questionable attachments in your email or having your email client set to automatically display attachments in-line. Some people are either far too naive or far too trusting, especially if something claims to be from someone that you know.

TeaTimer provides the same function as SpywareBlaster for Internet Explorer, though through different methods. TeaTimer is the active approach, always in wait, and prevents malicious ActiveX from being installed. Think of it like a bouncer at a grand party, protecting from gatecrashers. SpywareBlaster takes the preventive approach, inserting predefined software values into the Windows registry. Think of it like throwing a grand party and then just not sending invitations to those you don't want to come.

It is highly recommended that you use both a preventive and an active approach to spy/adware if you use Internet Explorer. The preventive measures protecting you from the worst showing up in the first place and the active measures to protect you from those that you never expected. It should be noted that some, if not all, of this functionality is built into most anti-spyware and some anti-virus programs today and significant, unnecessary, overlaps in protection often occurs.

The Mozilla Foundation's Gecko web-display engine, which Dr. Orca uses, does not natively support the loading of ActiveX programs, Internet Explorer's greatest weakness. This has been a feather in Mozilla/Firefox's cap since the earliest of times (as well as for Opera, Netscape, and various other non-IE browsers). The very act of not using Internet Explorer plugs its very worst security hole...

Posted: Wed Feb 01, 2006 9:16 pm
by TekNoir
WebGuy wrote:
abfan123 wrote:Actually,Any good security software should protect your computer in general and won't allow any malware to enter/run on your computer.
If you're running a good security software then it doesn't really matter what's your web browser.It should protect it anyway.
It doesn't!

Nothing protects against the current ZERO DAY Exploit in WINDOWS META FILES (wmf).
This is incorrect information to say that nothing protects or prevents this particular exploit or any other, even on zero-day. Most every user of Windows XP who had previously installed service pack two and has it installed on a computer running a relatively modern processor was protected from this particular exploit before zero-day. More information can be found here. This is without even having any additional security programs running.

To say that nothing protects against zero-day exploits is absurd. It is unlikely (though certainly not impossible) that anyone who uses an up-to-date computer operating system, such as Windows XP with all current updates applied, and who runs a complete suite of preventive programs (ideally comprised of a hardware/software firewall, anti-virus program, anti-spyware program, and any other such supportive programs) will become infected, even by a zero-day exploit.

Your views of what determines protection are also flawed. Because you were running a firewall, you were protected from any damage to your system. To expect that you will be completely protected from anything ever touching your system is unfounded and unreasonable in today's computer-age without doing something as drastic as sandboxing your system.

Most programs aren't written to actively prevent from anything ever reaching your system, but rather to prevent them from doing any damage once they have and to make it easy for you to get rid of the "pest." It is far too resource intensive to have that many "guard dogs" running at once. Your internet usage, if not your entire system, would slow to a crawl. Could you imagine having a party with twenty or thirty bouncers standing outside and everyone having to talk to them all before they could get inside? Simply unreasonable...