Orca security question

These archives contain old topics that were moved here to prevent clutter in the forums. These threads may still contain some useful information.

Moderators: Support Staff², Support Staff, AvantGuard, Developer

Locked
jscnbach
Newbie
Newbie
Posts: 15
Joined: Thu Oct 20, 2005 8:07 am
Avant Version:

Orca security question

Post by jscnbach » Tue Jan 03, 2006 2:34 pm

I just noticed many security software do not directly protect Orca. SpywareBlaster protects IE and Firefox. Spybot TeaTimer protects IE (and Firefox?). Etc.
I am wondering, since Orca uses the same engine as Firefox, is it automatically protected? If no, then aren't we at higher risk using Orca than IE or firefox users?

abfan123
Avantus Maximus
Avantus Maximus
Posts: 5624
Joined: Wed Jan 26, 2005 4:24 pm
Windows Version: Vista Ultimate x64 SP2
Avant Version: 11.7 build 43
IE Version: 8
Contact:

Post by abfan123 » Tue Jan 03, 2006 3:57 pm

Actually,Any good security software should protect your computer in general and won't allow any malware to enter/run on your computer.
If you're running a good security software then it doesn't really matter what's your web browser.It should protect it anyway.
IE8(Pro), Microsoft Security Essentials
Main PC:
Image
Secondary PC same as primary but with Windows 7 x64 Ultimate as the OS.

User avatar
KY Dave
Avant Fanatic
Avant Fanatic
Posts: 390
Joined: Mon Dec 01, 2003 1:53 pm
Windows Version: XP Home, Pro, Vista, Win 7
Avant Version: 11.7 build 46SR
IE Version: 8.0.7600.3865
Location: Burkesville, KY
Contact:

Post by KY Dave » Tue Jan 03, 2006 5:22 pm

abfan123 wrote:Actually,Any good security software should protect your computer in general and won't allow any malware to enter/run on your computer.
If you're running a good security software then it doesn't really matter what's your web browser.It should protect it anyway.
It doesn't!

Nothing protects against the current ZERO DAY Exploit in WINDOWS META FILES (wmf).
KY Dave

Family Blog

ytsmabeer
Newbie
Newbie
Posts: 32
Joined: Tue Dec 14, 2004 9:40 am
Windows Version: Windows
Avant Version:
Location: Fryslân
Contact:

Post by ytsmabeer » Tue Jan 03, 2006 5:37 pm

Don't press OK, now you're protected
Frisian translator Avant,Maxthon,Opera,Google,Poptray,7zip,regseeker,paint.net

abfan123
Avantus Maximus
Avantus Maximus
Posts: 5624
Joined: Wed Jan 26, 2005 4:24 pm
Windows Version: Vista Ultimate x64 SP2
Avant Version: 11.7 build 43
IE Version: 8
Contact:

Post by abfan123 » Tue Jan 03, 2006 5:57 pm

WebGuy wrote:
abfan123 wrote:Actually,Any good security software should protect your computer in general and won't allow any malware to enter/run on your computer.
If you're running a good security software then it doesn't really matter what's your web browser.It should protect it anyway.
It doesn't!

Nothing protects against the current ZERO DAY Exploit in WINDOWS META FILES (wmf).
Send me a link to it please by a PM. (I've looked for a working exploit really long all over the net but couldn't find any. :cry: )
IE8(Pro), Microsoft Security Essentials
Main PC:
Image
Secondary PC same as primary but with Windows 7 x64 Ultimate as the OS.

User avatar
KY Dave
Avant Fanatic
Avant Fanatic
Posts: 390
Joined: Mon Dec 01, 2003 1:53 pm
Windows Version: XP Home, Pro, Vista, Win 7
Avant Version: 11.7 build 46SR
IE Version: 8.0.7600.3865
Location: Burkesville, KY
Contact:

Post by KY Dave » Tue Jan 03, 2006 5:58 pm

ytsmabeer wrote:Don't press OK, now you're protected
There are NO warnings, questions to answer or anything.

It automatically opens WINDOWS PICTURE/FAX VIEWER and then tries to contact the internet. In the split second it takes for this to happen, a program is already placed on the PC. It is a downloader or dropper.

There is NOTHING to choose, NOT OK, NOT YES, nothing at all.

I have SPYBOT S/D, WINDOWS SPYWARE, ZONEALARM, SYSTEMS MECHANIC, AVG, BIT DEFENDER and none of those stopped it. ZoneAlarm did prevent it from contacting the internet and downloading more crap, but the dropper was on the system as soon as I hit the webpage.
abfan123 wrote: Send me a link to it please by a PM. (I've looked for a working exploit really long all over the net but couldn't find any. :cry: )
Sorry, but I can't. It was on FREEPOPS.ORG site for a day, I reported it to them, they removed it. A day later it was back, they removed it and had to change their forum software to keep the hacker from placing it on their forum again.
KY Dave

Family Blog

ytsmabeer
Newbie
Newbie
Posts: 32
Joined: Tue Dec 14, 2004 9:40 am
Windows Version: Windows
Avant Version:
Location: Fryslân
Contact:

Post by ytsmabeer » Tue Jan 03, 2006 6:04 pm

Well thank you Opera because i came accoss .wmf twice today and it just askes a question.

Do FF en IE ask for something?
Frisian translator Avant,Maxthon,Opera,Google,Poptray,7zip,regseeker,paint.net

abfan123
Avantus Maximus
Avantus Maximus
Posts: 5624
Joined: Wed Jan 26, 2005 4:24 pm
Windows Version: Vista Ultimate x64 SP2
Avant Version: 11.7 build 43
IE Version: 8
Contact:

Post by abfan123 » Tue Jan 03, 2006 6:12 pm

Well,
I've found some wmf that claimed to be an exploit.
But my anti virus blocked it immediately. (Yes,I like to mess with all kind of exploits on my old PC,Lol.)
IE8(Pro), Microsoft Security Essentials
Main PC:
Image
Secondary PC same as primary but with Windows 7 x64 Ultimate as the OS.

User avatar
KY Dave
Avant Fanatic
Avant Fanatic
Posts: 390
Joined: Mon Dec 01, 2003 1:53 pm
Windows Version: XP Home, Pro, Vista, Win 7
Avant Version: 11.7 build 46SR
IE Version: 8.0.7600.3865
Location: Burkesville, KY
Contact:

Post by KY Dave » Tue Jan 03, 2006 6:13 pm

ytsmabeer wrote:Well thank you Opera because i came accoss .wmf twice today and it just askes a question.

Do FF en IE ask for something?
IE does NOT ask, I don't know about FF.

Users should scan their systems. If I didn't have ZoneAlarm I doubt I would have even noticed it. It opened and closed the Win Fax Viewer for a split second and that was the only warning I had except for ZoneAlarm.

Users could already be infected if they don't have a FIREWALL that blocks OUTGOING TRAFFIC. Windows FIREWALL would be USELESS against this exploit.

Search for "a.exe" and a similar name (a.123456.exe.pf) in the Windows prefetch. At least those are the files dropped on my system.
KY Dave

Family Blog

mutterer
Fan
Fan
Posts: 124
Joined: Thu Jan 01, 2004 7:08 pm
Windows Version: Windows
Avant Version:
Location: North Kent UK

Post by mutterer » Tue Jan 03, 2006 7:39 pm

Steve Gibson has a link to a patch on grc.com which he claims will protect W2K and up.
I quote:

"Ilfak Guilfanov (see GREEN box below) produced a highly-effective true patch which successfully suppresses all known exploitable vulnerabilities for anyone using Windows 2000, XP, server 2003, or 64-bit XP. No patch is available for Windows 95, 98, ME or NT, and none is expected to be forthcoming. But anyone using Windows 2000, XP, server 2003, or 64-bit XP should IMMEDIATELY install Ilfak's exploit suppressor into all of their systems."

and

"Windows 98/SE/ME users: Microsoft's original advice to "unregister the shimgvw.dll" (shell image viewer) was never correct or useful on those platforms. The good news is that all current WMF exploits appear to be non-functional on the older Win9x vintage platforms . . . so you will likely be okay until Microsoft has updated your system with the next security patches. There is no short-term workaround for Windows 9x users."

He is right, I tried the MS workaround on my 98SE system 2 days ago, it told me to get lost.

http://www.grc.com/sn/notes-020.htm

jscnbach
Newbie
Newbie
Posts: 15
Joined: Thu Oct 20, 2005 8:07 am
Avant Version:

Post by jscnbach » Tue Jan 03, 2006 11:36 pm

No response seem to touch my original subject. Do TeaTimer or SpywareBlaster protect Orca like they do for IE and FF? If not, what do?

bigC
AvantGuard
AvantGuard
Posts: 7244
Joined: Thu Jan 30, 2003 10:40 pm
Windows Version: 10
Avant Version: 2016 Build 1
Default engine: Firefox
IE Version: 11
Skin: Crystal
Location: New York

Post by bigC » Wed Jan 04, 2006 12:21 am

jscnbach wrote:Do TeaTimer or SpywareBlaster protect Orca?
Teatimer I believe protects the registry so that should still work if I'm not mistaken. As for SpywareBlaster, that doesn't appear to be protecting Orca. But if you have Firefox installed, you can copy the hostperm.1 file in your firefox profile and place it in your Orca profile. Hostperm contains all the blocked sites spyblaster adds to firefox... moving that file into Orca should effectively block those nasty cookies in OB as well

User avatar
KY Dave
Avant Fanatic
Avant Fanatic
Posts: 390
Joined: Mon Dec 01, 2003 1:53 pm
Windows Version: XP Home, Pro, Vista, Win 7
Avant Version: 11.7 build 46SR
IE Version: 8.0.7600.3865
Location: Burkesville, KY
Contact:

Post by KY Dave » Wed Jan 04, 2006 12:50 am

Current WMF exploit detection by AV scanners as of January 1, 2006

AV-Test, an independent test lab that tracks malware and anti-malware products, has been closely tracking detection of exploits based on the WMF flaw. Below are current numbers as of the morning of January 1, 2006, based on 73 different variants of the threat.

Detection Product(s)
  • 73 out of 73 AntiVir, Avast!, BitDefender, ClamAV, Command, Dr Web, eSafe, eTrust-INO, eTrust-VET, Ewido, F-Secure, Fortinet, Kaspersky, McAfee, Nod32, Norman, Panda, Sophos, Symantec, Trend Micro, VirusBuster
  • 67 out of 73 Ikarus, VBA32
  • 54 out of 73 F-Prot
  • 13 out of 73 AVG
  • 11 out of 73 QuickHeal
ABC New article
KY Dave

Family Blog

TekNoir
Newbie
Newbie
Posts: 8
Joined: Fri Jan 14, 2005 4:28 pm
Avant Version:

Post by TekNoir » Wed Feb 01, 2006 8:52 pm

SpywareBlaster doesn't actually "protect" Firefox. It simply prevents certain ad/tracking cookies from being saved in Firefox's cache. It does nothing more than this for Firefox. Most of SpywareBlaster's functionality was intended for Internet Explorer users where it prevents attacks from malicious ActiveX installation as well as preventing the aforementioned cookies.

Advertising/tracking cookies really aren't that big of a deal in my opinion, except for the minimal amount of space that they require on today's massive hard-drives. They simply record which ads you've already looked upon and which ones that you've clicked upon so that they can better tailor what you see. No personal information is stored. You're merely a number, another potential sell, to them. I actively block most advertisements no matter which browser I use, so for me it is a moot point.

It's the ActiveX that you need to worry about. This is where you get nearly all of your spyware and your adware while browsing the internet. These are basically mini-programs, originally intended to add or enhance functionality for Windows Explorer and the Internet Explorer browser, which miscreants have found a way to exploit. These programs can potentially be installed without your knowledge (though service pack two for windows XP was a huge step forward in preventing that) and then they can manipulate things on your system, download adware, keyloggers, or worse, and generally party however they want while remaining relatively hidden.

It should be noted that for those who don't frequent pornographic websites or other shady sites, the largest source of virus/spyware infection is through opening questionable attachments in your email or having your email client set to automatically display attachments in-line. Some people are either far too naive or far too trusting, especially if something claims to be from someone that you know.

TeaTimer provides the same function as SpywareBlaster for Internet Explorer, though through different methods. TeaTimer is the active approach, always in wait, and prevents malicious ActiveX from being installed. Think of it like a bouncer at a grand party, protecting from gatecrashers. SpywareBlaster takes the preventive approach, inserting predefined software values into the Windows registry. Think of it like throwing a grand party and then just not sending invitations to those you don't want to come.

It is highly recommended that you use both a preventive and an active approach to spy/adware if you use Internet Explorer. The preventive measures protecting you from the worst showing up in the first place and the active measures to protect you from those that you never expected. It should be noted that some, if not all, of this functionality is built into most anti-spyware and some anti-virus programs today and significant, unnecessary, overlaps in protection often occurs.

The Mozilla Foundation's Gecko web-display engine, which Dr. Orca uses, does not natively support the loading of ActiveX programs, Internet Explorer's greatest weakness. This has been a feather in Mozilla/Firefox's cap since the earliest of times (as well as for Opera, Netscape, and various other non-IE browsers). The very act of not using Internet Explorer plugs its very worst security hole...

TekNoir
Newbie
Newbie
Posts: 8
Joined: Fri Jan 14, 2005 4:28 pm
Avant Version:

Post by TekNoir » Wed Feb 01, 2006 9:16 pm

WebGuy wrote:
abfan123 wrote:Actually,Any good security software should protect your computer in general and won't allow any malware to enter/run on your computer.
If you're running a good security software then it doesn't really matter what's your web browser.It should protect it anyway.
It doesn't!

Nothing protects against the current ZERO DAY Exploit in WINDOWS META FILES (wmf).
This is incorrect information to say that nothing protects or prevents this particular exploit or any other, even on zero-day. Most every user of Windows XP who had previously installed service pack two and has it installed on a computer running a relatively modern processor was protected from this particular exploit before zero-day. More information can be found here. This is without even having any additional security programs running.

To say that nothing protects against zero-day exploits is absurd. It is unlikely (though certainly not impossible) that anyone who uses an up-to-date computer operating system, such as Windows XP with all current updates applied, and who runs a complete suite of preventive programs (ideally comprised of a hardware/software firewall, anti-virus program, anti-spyware program, and any other such supportive programs) will become infected, even by a zero-day exploit.

Your views of what determines protection are also flawed. Because you were running a firewall, you were protected from any damage to your system. To expect that you will be completely protected from anything ever touching your system is unfounded and unreasonable in today's computer-age without doing something as drastic as sandboxing your system.

Most programs aren't written to actively prevent from anything ever reaching your system, but rather to prevent them from doing any damage once they have and to make it easy for you to get rid of the "pest." It is far too resource intensive to have that many "guard dogs" running at once. Your internet usage, if not your entire system, would slow to a crawl. Could you imagine having a party with twenty or thirty bouncers standing outside and everyone having to talk to them all before they could get inside? Simply unreasonable...

Locked