DefenseWall Personal Firewall at Bits du Jour
4 posters
Page 1 of 1
DefenseWall Personal Firewall at Bits du Jour
For all who are interested in DefenseWall: in the next days there should be an offer to buy DefenseWall Personal Firewall for $20 (means 50% discount) at Bits du Jour.
Link
Link
Ruhe- Valued Member
- Posts : 261
Join date : 2010-04-16
Location : Germany
Re: DefenseWall Personal Firewall at Bits du Jour
The deal is active.
Ruhe- Valued Member
- Posts : 261
Join date : 2010-04-16
Location : Germany
Re: DefenseWall Personal Firewall at Bits du Jour
Just briefly tested DefenseWall 3.10 Beta and Ilya still hasn't done anything to address this vulnerability in DefenseWall:
https://ssj100.forumotion.com/t311-sandboxing-explorerexe-with-sandboxie#2762
https://ssj100.forumotion.com/t290-defensewall-pitfalls#2749
It's a very simple bypass to reproduce (and this is just an example of a potentially malicious "attack vector"):
1. Install Adobe Reader and DefenseWall.
2. Download any PDF document and make sure it's "Untrusted".
3. Open Windows Task Manager - look for a process called "AcroRd32Info.exe" - if it's running, terminate it.
4. Hover your mouse cursor over the PDF document while watching for "AcroRd32Info.exe" to spawn in Task Manager.
5. Check DefenseWall to see if "AcroRd32Info.exe" is running "Untrusted". Since the PDF document is "Untrusted", we would expect DefenseWall to run anything related to it as "Untrusted" too.
6. Notice that "AcroRd32Info.exe" is actually running "Trusted"!
https://ssj100.forumotion.com/t311-sandboxing-explorerexe-with-sandboxie#2762
https://ssj100.forumotion.com/t290-defensewall-pitfalls#2749
It's a very simple bypass to reproduce (and this is just an example of a potentially malicious "attack vector"):
1. Install Adobe Reader and DefenseWall.
2. Download any PDF document and make sure it's "Untrusted".
3. Open Windows Task Manager - look for a process called "AcroRd32Info.exe" - if it's running, terminate it.
4. Hover your mouse cursor over the PDF document while watching for "AcroRd32Info.exe" to spawn in Task Manager.
5. Check DefenseWall to see if "AcroRd32Info.exe" is running "Untrusted". Since the PDF document is "Untrusted", we would expect DefenseWall to run anything related to it as "Untrusted" too.
6. Notice that "AcroRd32Info.exe" is actually running "Trusted"!
Re: DefenseWall Personal Firewall at Bits du Jour
Has someone actually brought this to Ilya attention? Ilya is pretty good about taking care of any issues. I don't think I've met any other developer that actually checks forums as well as he does. I don't use defensewall myself but I wouldn't hesitate to use it knowing how well it works and is developed.
kjdemuth- Member
- Posts : 10
Join date : 2011-01-23
Re: DefenseWall Personal Firewall at Bits du Jour
I think Ilya knows about all the issues I have posted about DefenseWall here (there are many "Guests" who visit this forum who also visit the DefenseWall forum). Whether it's easy or even possible to "fix" these issues is another story. If you are a user of DefenseWall and if you are concerned (I certainly would be), I would suggest contacting Ilya yourself. The last time I posted about an issue, I got "verbally" abused (via PM) by an Administrator on the DefenseWall forum and got IP banned.
Of course, I fully support Ilya and DefenseWall - that's why I care enough to test it out and to point out its strengths and weaknesses.
Of course, I fully support Ilya and DefenseWall - that's why I care enough to test it out and to point out its strengths and weaknesses.
Re: DefenseWall Personal Firewall at Bits du Jour
kjdemuth wrote:Has someone actually brought this to Ilya attention?
I reported the issue to Ilya on one of the many Russian forums. He was reluctant to do anything about images and text files (by default also launched by "Trusted" applications), but with the PDF issue and AcroRd32Info.exe launching as "Trusted" his reply was more encouraging: "This is at least theoretically risky; I'll have a look into it". As soon as he comes up with a reply, I'll let you know.ssj100 wrote:I think Ilya knows about all the issues
Paul
p2u- Valued Member
- Posts : 211
Join date : 2010-12-14
Re: DefenseWall Personal Firewall at Bits du Jour
Ilya replied: he seems to have added AcroRd32Info.exe to the Untrusted Zone ("dynamically" - whatever that means).
Paul
Paul
p2u- Valued Member
- Posts : 211
Join date : 2010-12-14
Re: DefenseWall Personal Firewall at Bits du Jour
That's what I thought he might do, but it's only a specific fix for Adobe Reader files - it still means DefenseWall is vulnerable to this attack vector. Even with earlier DefenseWall versions, any user could have "fixed" this him/her-self by manually adding "AcroRd32Info.exe" as "Untrusted".
In order for DefenseWall to properly fix (perhaps a variant?) of this attack vector, it must be able to run "explorer.exe" as "Untrusted". Last time I checked, this wasn't possible with DefenseWall. It's possible with Sandboxie as I demonstrated here:
https://ssj100.forumotion.com/t311-sandboxing-explorerexe-with-sandboxie#2499
Will be interesting to see if Ilya will add this (equivalent) feature in DefenseWall, and if not, why not?
In order for DefenseWall to properly fix (perhaps a variant?) of this attack vector, it must be able to run "explorer.exe" as "Untrusted". Last time I checked, this wasn't possible with DefenseWall. It's possible with Sandboxie as I demonstrated here:
https://ssj100.forumotion.com/t311-sandboxing-explorerexe-with-sandboxie#2499
Will be interesting to see if Ilya will add this (equivalent) feature in DefenseWall, and if not, why not?
Re: DefenseWall Personal Firewall at Bits du Jour
I asked this question already. Waiting for a reply. I'll let you know all the details as soon as Ilya posts his reply.ssj100 wrote:run "explorer.exe" as "Untrusted" [...]Will be interesting to see if Ilya will add this (equivalent) feature in DefenseWall, and if not, why not?
Paul
p2u- Valued Member
- Posts : 211
Join date : 2010-12-14
Re: DefenseWall Personal Firewall at Bits du Jour
Thinking about it, I don't think much can be done to solve it from DefenseWall's point of view. It's possible with Sandboxie because Sandboxie applies more of a virtualisation mechanism. DefenseWall applies more of a policy mechanism. This means that DefenseWall is not able to run a virtualised instance of "explorer.exe" like Sandboxie does. It may be able to run "explorer.exe" with "limited rights", but I think that would defeat the purpose, since we do want to potentially use "explorer.exe" freely.
Anyway, will be interesting to see what Ilya says about this.
Anyway, will be interesting to see what Ilya says about this.
Similar topics
» DefenseWall Personal Firewall 3.00 released
» Secunia Personal Software Inspector (PSI)
» BluePoint Security Personal Edition - 20 Licenses to Giveaway!
» Outpost Firewall
» FIREWALL TESTING ONLY!
» Secunia Personal Software Inspector (PSI)
» BluePoint Security Personal Edition - 20 Licenses to Giveaway!
» Outpost Firewall
» FIREWALL TESTING ONLY!
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum
|
|