Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
F-Secure Exploit Shield
Posted by: PaPPy
Date: May 08, 2009 03:33PM

I dont know if anyone heard about this, could be interesting to mess with

F-Secure Exploit Shield is an application that protects users from web-based malicious exploits and stops malware at the first point of infection. All malicious, exploit-hosting URLs it detects are automatically reported back to F-Secure's Real-time Protection Network, which helps our Security Labs discover new exploits on the Internet and react to protect all our existing customers.

* Zero Day Protection: Protects unpatched machines even before patches are available from the software vendor.
* Patch-equivalent Protection: One 'shield' update per vulnerability stops all exploits targeting it.
* Proactive Measures: Heuristic detection techniques block exploits even for unknown vulnerabilities.
* Protects against both malicious websites and good websites that have been hacked.
* Automatically sends detected malicious URLs from users to F-Secure.


http://www.f-secure.com/en_EMEA/support/home-office/beta-programs/exploit-shield/index.html

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: F-Secure Exploit Shield
Posted by: Vektor
Date: May 11, 2009 09:47AM

* Protects against both malicious websites and good websites that have been hacked.
* Automatically sends detected malicious URLs from users to F-Secure.

If you use it, I have an interesting test for you -> http://sla.ckers.org/forum/read.php?13,28097 . Click on "Test XSS" button to inject an iframe with google in f-secure's website . Exploit Shield should block F-Secure.com and send the malicious URL to... F-Secure . You are right, it could be interesting.

Options: ReplyQuote
Re: F-Secure Exploit Shield
Posted by: PaPPy
Date: May 11, 2009 10:22AM

i wonder if they will get some of their "bad" urls from our full disclosure thread or xssed.com
?

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: F-Secure Exploit Shield
Posted by: Vektor
Date: May 11, 2009 10:50AM

That would contradict what they say - "All malicious, exploit-hosting URLs it detects are automatically reported back to F-Secure's Real-time Protection Network, which helps our Security Labs discover new exploits on the Internet and react to protect all our existing customers".
If it had alternative sources it wouldn't need to report them back when found. But this is easy to verify.
Malicious URL's are reported back to help Exploit Shield find something it can already find without those user reports.



Edited 1 time(s). Last edit at 05/11/2009 10:53AM by Vektor.

Options: ReplyQuote
Re: F-Secure Exploit Shield
Posted by: PaPPy
Date: May 11, 2009 12:23PM

maybe it will be built in to their updates, because detecting potentially bad sites and sending it to f secure isnt going to help the rest of their clients with the same product

so their staff may have a big list, and maybe use some of the lists on the net to start it off

but i am really curious what will trigger a report, if its xss (persistant and non persistant), or malware, java? swf?

maybe we can capture the bad page report to fsecure, and spam them, or submit fake sites like google and such

lol i dont know, i wish i had time to dive into it

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: F-Secure Exploit Shield
Posted by: Vektor
Date: May 11, 2009 01:37PM

They don't say about moderation for submitted URL's, but not having any would be stupid.

If they update their blacklisted URL's with 3rd party content, all clients get updated. No need to send back an URL that is already blacklisted.
If a client detects a website with problems - that would be a new website that is detected by their engine without using blacklists, no need to "call home" to send the address, because all clients would also detect it. Unless you get random executable crap every time you want to download Exploit Shield, all clients should detect same things (same program, same blacklists if any). And an online update mechanism can keep them all updated.

On the other hand their privacy policy says that they can collect IP address + visited URL associations ( http://www.f-secure.com/en_EMEA/privacy.html ).

"By communicating material to the F-Secure web site, you agree that F-Secure has the right to publish the material in products or publications for any purpose, including, but not limited to, advertising and promotional purposes. You agree not to take action against us in relation to material that you submit.
...
What We Collect

We can collect non-personally identifiable information about you in a number of ways, including tracking your activities through your IP address or most-recently-visited URL.
...
F-Secure may also use personal account information and data collected through to generate statistics and aggregate reports for internal use and for sharing with affiliates, subsidiaries, licensees, successors and advertisers. "

Good luck with tests :)

Options: ReplyQuote
Re: F-Secure Exploit Shield
Posted by: PaPPy
Date: May 11, 2009 03:10PM

good call that if one detects it, they all should
i wasnt thinking about it like that

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: F-Secure Exploit Shield
Posted by: backbone
Date: May 16, 2009 07:47AM

PaPPy Wrote:
-------------------------------------------------------
> (...)
> but i am really curious what will trigger a
> report, if its xss (persistant and non
> persistant), or malware, java? swf?
> (...)

It protects your BROWSER against possible exploitation of
known or unknown BROWSER vulnerabilities.

Options: ReplyQuote


Sorry, only registered users may post in this forum.