Another Windows 0day appears – gdi32.dll heap boundary error

[woodyDa Boss]

As 0day bugs go, this isn’t an earth-shattering development. But it’s still enough to cause concern. Mateusz Jurczyk at Google Project Zero discovered
[See the full post at: Another Windows 0day appears – gdi32.dll heap boundary error]

2 users thanked author for this post.

Elly, JDeC

[Noel CarboniAskWoody MVP]

Forgive me, but if this has been known for 3 months how is it technically a “0day”?

According to Google:

A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack.

(bold emphasis mine)

It might just be that Microsoft can’t fix it without a system redesign, and they realize that doing THAT in a hurry could cause serious problems and have weighed that knowledge against the risk of this bug causing serious problems.

It’s hard for me to see how Project Zero can be justified in releasing exploit code to the world.

Personally I dislike the term “zero day”, which is clearly intended to strike fear into the hearts of people who don’t take the time to know the details.

Just don’t download and run malware and you’ll be fine.

-Noel

1 user thanked author for this post.

212louis

[anonymous]

“Just don’t download and run malware and you’ll be fine.” Well my friend. That’s easier said than done. Some people don’t know how to stay safe online. Also even if you’re the most careful person in the world it is still possible to slip up.

Also a legit site or program could be in fact compromised. Say one day AskWoody.com one day gets compromised. We could be redirected to a malware download. You could download what you think is a legit program but is indeed malware. Or you download an actual legit program from a legit source that’s been hacked so your download is a malware infested version of the thing you’re downloading.

There are compromised open wi-fi hotspots among other things. My point is Noel, there’s a lot more than simply not downloading malware and running it.

2 users thanked author for this post.

MW, ch100

[bAskWoody Lounger]

Woody’s definition of zero-day: https://www.askwoody.com/forums/topic/pwnfest-brings-two-zero-day-system-level-hacks-of-edge/#post-23056

EDITED for content. Please follow the Lounge Rules posted at the bottom.

• This reply was modified 1 year, 2 months ago by  PKCano.

[rc primakAskWoody MVP]

I doubt that this one was in the now-nixed Feb. 2017 MS Updates CU. Nor the Security Patch.

-- rc primak

• This reply was modified 1 year, 2 months ago by  rc primak.

[Noel CarboniAskWoody MVP]

anonymous wrote:

My point is Noel, there’s a lot more than simply not downloading malware and running it.

My point in return is that, while I agree people out there will most certainly do things they shouldn’t (and everyone can make mistakes), it IS possible to set oneself up with a security environment + conscientious operation of the computer that really does keep you away from malware.

And it doesn’t require a lot of ongoing effort to maintain. Not surprisingly, the environment I’m describing – which I have working here – is pretty different from what people consider a “typical” setup with a virus scanner checking everything at the last possible instant, and it knocks your chances of becoming infected WAY down.

If I were to want to download software, I would start by evaluating, “do I really need this?” Conscientious computer users don’t just run anything they see to “see what happens”. That’s like seeing if a gun is loaded by pointing it at your head and pulling the trigger.

If I were to decide, “yes, I want this”, then I would do some online research. Google will quickly turn up claims of scam, and VirusTotal.com will check sites for a malicious nature.

Beyond the above, it would not even begin to download if it was coming from one of the tens of thousands of malware sites I have blacklisted from DNS resolution. The process that manages the list automatically gathers data from sources worldwide every day, so it’s always up to date.

Once I was able to download this hypothetical application, I most certainly would check it with local anti-malware software (e.g., MalwareBytes).

Assuming it passed a scan, I’d install and vet it in a throwaway virtual machine that can be restored in seconds to a prior snapshot. My virtual machine test environments are instrumented. I know what’s being done and what sites are being contacted.

Then, once I was sure of its function, I’d make the final decision whether to install and run it on my critical workstation.

Regarding things that run from the web, it IS possible to configure a browser not to just run any old thing it comes across online. Coupled with the blacklists that’s pretty effective at keeping infections from web pages at bay, and surprisingly the content is still available. Then if a previously trusted site becomes compromised, your system isn’t just going to infect itself.

If you’re not protected by blacklists, configuration of more secure browser settings, and doing conscientious computing then I can see how you might think that “not downloading malware” could be a mysterious and complicated thing. It’s not, really, and I can assure you it’s quite doable.

-Noel “malware-free going all the way back”

• This reply was modified 1 year, 2 months ago by  Noel Carboni.

[anonymous]

But keep in mind most people are gonna know how to or have the patience to setup virtual machines or configure DNS blacklists. Most don’t even want to install Windows Updates. Most people don’t even know there’s a lot of things they can do to keep themselves safe. That’s the point I was trying to make. My response wasn’t talking about you specifically Noel. Just most people in general who don’t know anything about this stuff.

2 users thanked author for this post.

samak, Bill C.

[Noel CarboniAskWoody MVP]

I appreciate that. I just feel it’s important to inform “most people” how things actually could be, so they don’t believe they have to settle for “good enough”. Frankly, the “run of the mill” ways of protecting systems (i.e., invite malware in and at the last minute try to block it) haven’t been all that good, historically.

Not EVERYONE lacks the patience or prowess to do more to ensure their security, and I think those reading this site might be especially inclined to want more info. How does an uninformed person become informed if they don’t know doing things better is even possible?

-Noel

2 users thanked author for this post.

Elly, walker

[anonymous]

@noel-carboni, Could you reveal how to set up your superior anti-malware system and keep it updated automatically?

[Noel CarboniAskWoody MVP]

I’m happy to share. What would you like to know about it?

My blacklisting strategy is pretty simple: It’s based on returning “not found” DNS responses from an open source DNS proxy package I’ve modified to increase list capacity. I run the package on a server, but it can be run on the same machine that uses it. It’s not a very heavy resource user.

I run a script on a Task Scheduler schedule that retrieves publicly available malware / tracking / adware site and domain lists from various online sources once a day and creates two master lists: Specific blacklisted servers (today a bit over 60,000 entries), and wildcarded domains (today a bit over 24,000 entries).

If a site name is blacklisted, it’s address is simply returned as “not found” and no browser or application will be able to contact it.

If a site name is not in the blacklists it’s considered legit and is forwarded to real online DNS servers (I use OpenDNS), then the resolved address is returned to the originator.

This is all done at millisecond time scales. The net gain from sites not loading all the ads/tracking junk far outweighs the additional few milliseconds to search the lists and forward requests.

If you’d like to follow my lead please feel free to read more and download the software I use here:

http://win10epicfail.proboards.com/post/2284/thread

I’m not saying this isn’t geeky – it’s incredibly so. Maybe one day I’ll polish it up into some kind of turnkey package. But it works – and really well.

-Noel

1 user thanked author for this post.

Elly

[Author]

Posts