F/Secure Internet Security
PUBLIC
=======================================================================
ACROS Security Problem Report #2011-01-11-1
-------------------------------------------------------------------------
ASPR #2011-01-11-1: Remote Binary Planting in Multiple F-Secure Products
=======================================================================
Document ID: ASPR #2011-01-11-1-PUB
Vendor: F-Secure Corp. (http://www.f-secure.com)
Target: F-Secure Internet Security 2010 and 2011
________________________________________________________________________
F-SECURE multiple products - Generic PDF detection bypass
________________________________________________________________________
***********************************************************************
Cheap plug :
If you are interested in client-side vulnerabilities visit HACK.LU
starting tomorrow [28-30 Oct] with :
This posting contains incorrect information.
F-Secure Corporation has verified that the claimed vulnerability doesn’t affect any F-Secure products. Our assumption is that iViZ have mixed up products from F-Secure Corporation and Frisk Software International. iViZ have already corrected their own advisory at the time of writing this and removed all references to F-Secure.
Mikael Albrecht
F-Secure Corporation
the content that represent a PDF file hasn't been changed at all.
This has been tested with several malicious PDF files and represents
a generic evasion of all PDF signatures and heuristics.
Kaspersky was given the PoC file directly through myself and F-Secure, they
went ahead an patched this by adding a signature for the POC file, adding
a PE header in front of a PDF file (with a PDF extension) still evades detection
and the exploit still triggers when opening the file with Adobe. Thus the
patch is flawed by design.
* CA Internet Security Suite Plus 2010 6.0.0.272
* Comodo Internet Security Free 4.0.138377.779
* DefenseWall Personal Firewall 3.00
* Dr.Web Security Space Pro 6.0.0.03100
* ESET Smart Security 4.2.35.3
* F-Secure Internet Security 2010 10.00 build 246
* G DATA TotalCare 2010
* Kaspersky Internet Security 2010 9.0.0.736
* KingSoft Personal Firewall 9 Plus 2009.05.07.70
* Malware Defender 2.6.0
* McAfee Total Protection 2010 10.0.580
* Keynote 2: Paul Vixie (President, ISC)
Date: October 14th - Conf Day 2
* Special Keynote Panel Discussion - "The Future of Mobile Malware & Cloud Computing"
* Keynote Panelist 1: Mikko Hypponen (F-Secure)
* Keynote Panelist 2: Paul Ducklin (Sophos)
* Keynote Panelist 3: Andrey Nishikin (Kaspersky Lab)
* Keynote Panelist 4: Dr. Jose Nazario (Arbor Networks)
Moderator: Dr. Dinesh Nair
On 8/31/07, Paul Sebastian Ziegler <psz@observed.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> > Also, the article by f-secure that you're having a go at,
>
> I'll have to protest here - I never hit at the original article. As you
> can read in the blog entry (this is also why I posted the link) I think
> that they have done everything alright.
>
-----------------------------------------------------------------------
iViZ Techno Solutions Pvt. Ltd.
http://www.ivizsecurity.com
-----------------------------------------------------------------------
* Title: F-Secure f-prot Antivirus for Linux corrupted ELF header
Security Bypass.
* Date: 10/12/2008
* Software: f-prot version 4.6.8 for GNU/Linux
--[ Synopsis:
KEYNOTE
The Information Warfare Monitor
Tracking GhostNet: Investigating a Cyber Espionage Network
KEYNOTE
Mikko Hypponen, Chief Research Officer, F-Secure
Evolution of the Threat
KEYNOTE
James Lewis, Director and Senior Fellow, Technology and Public Policy
Program, Center for Strategic and International Studies (CSIS)
I can't see anything in your article that adds anything to your email,
why did you want him to read it?
Also, the article by f-secure that you're having a go at, says "This USB
stick with rootkit-like behavior" and openly acknowledges that the
purpose of hiding files by the device is probably to try and prevent
tampering with the fingerprint authentication. Their main point is that:
According to Mikko Hyppnen's post to F-Secure's blog Sony Electronics has confirmed that they received the research report this week:
http://www.f-secure.com/weblog/archives/archive-082007.html#00001266
The post says that companies have opened direct discussion channels and Sony will receive the internal technical report of the case.
Maybe we will see an official response document from Sony later.
- Juha-Matti
Paul Sebastian Ziegler <psz@observed.de> wrote:
We will be accepting talk proposals until July 1, 2010. All submitted
presentations will be reviewed by the t2 Advisory Board.
The t2 Advisory Board is comprised of the following individuals:
* Mikko Hyppönen, F-Secure
* Jussi Jaakonaho, Nokia
* Tomi Tuominen, Tieto
As usual selected speakers will be reimbursed for travel and hotel
costs. We also proud ourselves of taking good care of the speakers and
Final papers are due May 15, 2009. They will be presented at the conference by the author and published in the conference proceedings.
Keynote Speakers include:
James Lewis (CSIS) "Securing Cyberspace for the 44th Presidency"
Mikko Hypponen (F-Secure) Chief Research Officer
Conference registration information will be posted by February 1 at www.ccdcoe.org.
Questions regarding this conference may be sent to cwcon@ccdcoe.org from January 1, 2009.
>FILETIME=[428E6A50:01C7ECAF]
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA512
>
> > Also, the article by f-secure that you're having a go at,
>
>I'll have to protest here - I never hit at the original article. As you
>can read in the blog entry (this is also why I posted the link) I think
>that they have done everything alright.
>
http://www.n00bz.net/antivirus-cve
CVE-2010-3496- McAfee
CVE-2010-3497- Symantec/Norton
CVE-2010-3498- AVG
CVE-2010-3499- F-Secure
> > at least two weeks.
> >
> > cheers,
> > --dr
That text came from a worm that Symantec and FSecure alerted about
and put out an advisory about (and there was a story on PC World
too as I recall). (One of the web vuln scanner folks also put
an advisory but I forget whom now, sorry).
What was interesting to me about the reports I got was that
USB drive that has fingerprint security.
Have a read of
http://hiltont.blogspot.com/2007/08/sony-rootkit-version-2.html for my
"WHAT!?!?!? You're kidding?" on it and also
http://www.f-secure.com/weblog/archives/archive-082007.html#00001263 for
the original report from F-Secure.
--
Regards,
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
> Also, the article by f-secure that you're having a go at,
I'll have to protest here - I never hit at the original article. As you
can read in the blog entry (this is also why I posted the link) I think
that they have done everything alright.
> says "This USB
Following a worldwide Call for Papers, there will be 29 presentations given by researchers from 13 countries. Highlights include:
• Jaak Aaviksoo, Estonian Defence Minister
• Information Warfare Monitor: Tracking GhostNet: Investigating a Cyber Espionage Network
• James Lewis, CSIS: Securing Cyberspace for the 44th Presidency
• Mikko Hypponen, CRO, F-Secure: Evolution of the Cyber Threat
• Jose Nazario, Arbor Networks: Measuring Global Denial of Service Attacks
• Amit Yoran, CEO, NetWitness: Information Risk Management: Removing the Uncertainty
• Felix Leder and Tillmann Werner: Proactive Botnet Countermeasures: An Offensive Approach
• Andrew Cutts, Director, Cybersecurity Policy (DHS): Cyber Risk from a Homeland Security Perspective
• Billy Rios and Jeff Carr, Microsoft: Examination of a Real World Cyber Attack
Bruce Schneier, BT Chief Security Technology Officer
Mike Schmitt, Dean, Marshall Center
Mikko Hyppnen, Chief Research Officer, F-Secure
Nart Villeneuve, Chief Technology Officer, Information Warfare Monitor
Chris Evans, Security Lead, Google Chrome
analysis of web applications security incidents.
The last week was very rich in Web Hacking Incidents. Too rich. The
following incidents where added to WHID last week:
* WHID 2009-26: F-Secure Joins The Breached AV Vendors Club
http://whid.webappsec.org/whid/2009/26/f-secure_breached
* WHID 2009-20: BitDefender joins Kasperski on the Breached side
http://whid.webappsec.org/whid/2009/20/bitdefender_joins_kasperski
The duo join Kasperski which was breached last week.
|
