Top Web Browsers Vulnerable To Rogue Download Vulnerability

Open question to the Webroot support staff: Does WSA protect against the browser expolit described in this document?: http://threatpost.com/en_us/blogs/top-web-browsers-vulnerable-rogue-download-vulnerability-060112.

If it does, I would think this would be a good product selling point....

 

That's a very nice exploit - I just tried it here. We blocked an infection coming from it without a problem.

 

The exploit doesn't do anything to evade AV detection. It's just to trick the user into trusting it.

So you'll see someone post "Adobe Update" and go. You'll see the legit Adobe website, a legit looking download, and then your AV will go "it's malware" (if it detects it.) At this point it's a question of whether or not you trust your AV or if you trust the Adobe website.

 

Excellent!

 

Seems some of you missed my post the other day

 

I thought (and hoped) WSA WOULD, indeed, block this exploit. Thanks for proving that it does!!!

 

Am I missing something here? I went to that page and clicked the "proof of concept" link and not a squeak from WSA through the whole process.

 

No it does NOT BLOCK THE EXPLOIT, it BLOCKS the MALWARE that COMES via the Exploit. That doesn't mean that it will block the next malware that decides to use the exploit. It only blocked the malware that PrevexHelp tested.

So no, the exploit is not blocked. Just whatever it downloads MIGHT be blocked.

 

The only folk who can fix the exploit are those that make the browsers, Microsoft, Mozilla and Google.

 

It downloads a legitimate calc.exe so we allow the file.

Exactly - this is a browser-side issue which they would need to fix to clear up.

 

Won't immediately block the next item that uses the exploit if the item is not already set to Bad. But the item won't be Good, it'll be Bad (and Blocked), or Unknown, and watched, and then blocked and rolled back when it does something bad. Worst case, contact support and they fix it for you for free within a few minutes.

Compare that to conventional AV where if it's not detected immediately, it could be a while and then possibly good luck getting rid of it. No way whatsoever to contact them and get it fixed by their program in a few minutes either, because they take more than a few minutes to make definitions.

 

Techfox1976 "Worst case, contact support and they fix it for you for free within a few minutes."
I pointed that out to the folk over at the Norton Forums, they were not well pleased. Have a read http://community.norton.com/t5/Nort...es-without-third-party-assistance/td-p/722760

 

Oh, well Webroot will fix it for you. Norton? Maybe Quads will. Maybe.