|
So it's another "antivirus is loving stupid" thing?
|
# ? May 9, 2017 02:04 |
|
|
# ? Jun 8, 2024 09:28 |
|
lol Jabor posted:So it's another "antivirus is loving stupid" thing? seems like it.
|
# ? May 9, 2017 02:07 |
|
i should have known it'd be a problem with antivirus software
|
# ? May 9, 2017 02:11 |
|
Volmarias posted:The S in IoT stands for Semen
|
# ? May 9, 2017 02:22 |
|
|
# ? May 9, 2017 02:49 |
|
quote:NScript is the component of mpengine that evaluates any filesystem or network activity that looks like JavaScript. To be clear, this is an unsandboxed and highly privileged JavaScript interpreter that is used to evaluate untrusted code, by default on all modern Windows systems. This is as surprising as it sounds. oh come the gently caress on
|
# ? May 9, 2017 03:11 |
|
Dex posted:oh come the gently caress on
|
# ? May 9, 2017 03:19 |
|
Dex posted:oh come the gently caress on hosed up
|
# ? May 9, 2017 03:39 |
|
wait, so this attempts to evaluate as JavaScript all kinds of random content from the internet? the 2017 equivalent of the old +++ATH thing?
|
# ? May 9, 2017 03:45 |
|
Tweet broke for some reason. Here's a direct link to the write-up: https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 quote:On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on. This level of accessibility is possible because MsMpEng uses a filesystem minifilter to intercept and inspect all system filesystem activity, so writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine. MIME types and file extensions are not relevant to this vulnerability, as MsMpEng uses it's own content identification system. quote:Before executing JavaScript, mpengine uses a number of heuristics to decide if evaluation is necessary. One such heuristic estimates file entropy before deciding whether to evaluate any javascript, but we've found that appending some complex comments is enough to trigger this.
|
# ? May 9, 2017 03:47 |
|
yeah that's what I'm curious about is what they do to avoid someone just chewing up CPU/memory
|
# ? May 9, 2017 03:47 |
|
usually they just have a short timeout where they go "we ran it for x ms and it didn't do anything bad, so it's probably okay" so you know, even if the whole setup did do anything beneficial w.r.t catching stuff it's trivially defeated by counting to a large number in a loop at the very start of your malware
|
# ? May 9, 2017 04:12 |
|
Jabor posted:usually they just have a short timeout where they go "we ran it for x ms and it didn't do anything bad, so it's probably okay" the assaulting problem
|
# ? May 9, 2017 04:36 |
|
El Mero Mero posted:Tweet broke for some reason. Here's a direct link to the write-up: https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
|
# ? May 9, 2017 04:57 |
third largest phone carrier in latvia advertising mobile av
|
|
# ? May 9, 2017 07:28 |
|
why would you patch your lovely android 3rd party phone, when you can make cash off people buying your av instead???
|
# ? May 9, 2017 09:39 |
|
ah this is great: (plus twitter automatically treating e.toString.call as a URL) https://twitter.com/natashenka/status/861748397409058816 and then further down the thread: quote:AND for good measure malware detection and "windows defender" chew up your CPU and IO. (I disable it.) Nice to know it's even worse.
|
# ? May 9, 2017 13:18 |
|
El Mero Mero posted:write-up excerpts well this seems like a problem Chris Knight posted:ah this is great: (plus twitter automatically treating e.toString.call as a URL) jfc.
|
# ? May 9, 2017 13:49 |
|
oh how handy i just worked out why local debugging results in 10second response times for all http requests: trend micro real time monitor is doing 'something' to every file touched on the system including all temporary internet files i wonder if i can cause it to crash by embedding an infinite loop in some js or something
|
# ? May 9, 2017 13:52 |
|
I am being forced to give a presentation on Thursday where I instruct all users, even users of Macs, to install antivirus. There is a caveat in the presentation about how the AV we have a volume license for isn't very good. I'm gonna insert my derision there as much as is reasonable, and try to highlight the fact that antivirus is pretty worthless generally if your behavior is bad.
|
# ? May 9, 2017 14:04 |
|
ErIog posted:I am being forced to give a presentation on Thursday where I instruct all users, even users of Macs, to install antivirus. technically i'm supposed to have AV on my mac but I've been told by the head of IT that "you can just install it when the auditors are here and uninstall it afterwards i'm well aware that antivirus is worthless"
|
# ? May 9, 2017 14:17 |
|
ate all the Oreos posted:technically i'm supposed to have AV on my mac but I've been told by the head of IT that "you can just install it when the auditors are here and uninstall it afterwards i'm well aware that antivirus is worthless" corporate IT forced me to install an awful AV package that greatly increased build times, so I broke it by messing around in terminal and they got tired of trying to unbreak it (they tried to fix the build time issue themselves a couple of times but it never took)
|
# ? May 9, 2017 14:18 |
|
Truga posted:https://twitter.com/internetofshit/status/840244403037970432 Hacker Vo oh gently caress off I don't even care anymore
|
# ? May 9, 2017 14:21 |
|
haveblue posted:corporate IT forced me to install an awful AV package that greatly increased build times, so I broke it by messing around in terminal and they got tired of trying to unbreak it originally i just disabled parts of it that annoyed me but it phoned home to a central screen and showed a big red warning light and THIS COMPUTER IS UNPROTECTED on the central thing also it installs a root certificate so it can MITM everything and besides being awful that breaks a lot of the local debugging I do and disabling it shows that red light
|
# ? May 9, 2017 14:23 |
|
Rufus Ping posted:symantec are trying to avoid having the smackdown laid on them by going over everyones head and crying directly to google execs tbf who in their right mind uses firefox in 2017?
|
# ? May 9, 2017 14:28 |
|
(in extremely hacker voice) i'm in
|
# ? May 9, 2017 14:34 |
|
Truga posted:https://twitter.com/internetofshit/status/840244403037970432 stdin
|
# ? May 9, 2017 15:00 |
|
|
# ? May 9, 2017 15:12 |
|
time for some penetration testing
|
# ? May 9, 2017 15:13 |
|
slambus
|
# ? May 9, 2017 15:15 |
|
ate all the Oreos posted:technically i'm supposed to have AV on my mac but I've been told by the head of IT that "you can just install it when the auditors are here and uninstall it afterwards i'm well aware that antivirus is worthless" Can you install it in a VM?
|
# ? May 9, 2017 15:17 |
|
|
# ? May 9, 2017 15:21 |
|
stderr
|
# ? May 9, 2017 15:25 |
so this train company sells ride tickets on their website. i downloaded their android app later, after i bought the first ticket, to buy another one. as i entered the same email for delivery, the app greeted me with my bank card details, with a few *** in the middle of the 16 digit code, and the cvv missing
|
|
# ? May 9, 2017 16:23 |
|
https://blog.travis-ci.com/2017-05-08-security-advisoryquote:Various GitHub OAuth tokens and secure environment variables that users included in their builds were accidentally exposed via inclusion in build logs on Travis CI. The vulnerability was responsibly disclosed by security researcher Ivan Vyshnevskyi, first to the Google Security team, who in turn disclosed it to Travis CI in a private channel. To our knowledge, no exposed OAuth tokens have been published. Neither Travis CI nor GitHub have been compromised. lol
|
# ? May 9, 2017 17:36 |
|
so is the windows defender thing meant to be the same as this https://twitter.com/taviso/status/860681252034142208 or is that a second major thing that hasn't been announced yet. cuz the wording is kind of a bit more dire than what actually got announced (since a lot of default windows installs are going to be with some crap like Norton installed and defender disabled, let alone all the 7 and older machines out there which are still the majority of windows installs (windows versions that had modern defender installed by default are currently about 38% of Windows systems online)
|
# ? May 9, 2017 17:58 |
|
fishmech posted:since a lot of default windows installs are going to be with some crap like Norton installed and defender disabled
|
# ? May 9, 2017 18:02 |
|
fishmech posted:so is the windows defender thing meant to be the same as this was there a worse windows remote code exec in recent memory? i'm legit asking i don't remember
|
# ? May 9, 2017 18:26 |
|
So I didn't read the full report / write-up, but how did they justify calling malicious javascript wormable?
|
# ? May 9, 2017 18:30 |
|
|
# ? Jun 8, 2024 09:28 |
|
James Baud posted:So I didn't read the full report / write-up, but how did they justify calling malicious javascript wormable? it can be triggered by automated inbound data like email bodies, IMs, etc
|
# ? May 9, 2017 18:31 |