I made a video about CIS 5.9 being bypassed by a fairly new exploit called 'java rhino'.
You can read more about this exploit here [rapid7.com]
and here [darkreading.com]
This video shows how easy it is to setup this exploit, and exploit a system. A user only has to visit a link and he/she is infected. CIS 5.9 is bypassed. There is not 1 alert given at all.
All modules of CIS are active. Settings are:
- Proactive Security
- Sandbox set to 'untrusted'
The rest of the settings are just the stock proactive security settings.
PC runs on windows 7 SP1 64 bit fully updated.
Java versions is 6 update 27 (released on October 2011)
I've tested this exploit against a few other av's and the results where:
MSE -- bypassed
Panda Cloud -- bypassed
Avira free -- bypassed
Avg free -- bypassed
CIS -- bypassed
Unthreat Free -- bypassed
Spyshelter Premium -- bypassed
Avast - protected system
(detected exploit with signature)
Sandboxie -- protected system
After deleting contents in sandbox connection is broken
Noscript -- protected system
Will block the java applet/exploit
As you can see this is not only a CIS related problem. If a av does not have a signature for either the exploit and/or payload it will most likely by bypassed. Comodo's D+ and FW did not help against this exploit.
Link to video: https://www.youtube.com/watch?v=nLQCusNk46M&context=C36d08beADOEgsToPDskITCGOol6Rc26q4pC9cCN3z
How to protect yourself against this exploit
To protect yourself against this exploit you can either:
- Update you're java version to version 29 or newer.
- Uninstall java if you do not use it.
This will protect your PC against the java_rhino exploit. Java is one of the most exploited programs on the internet atm. There are new exploits coming out all the time.
If you want extra protection, you can read here about setting up CIS for protection against future java exploits (thanks to Ronny for figuring this out
--> http://forums.comodo.com/news-announcements-feedback-cis/cis-59-bypassed-by-javarhino-exploit-t79741.0.html;msg572054#msg572054mod edit: obfuscated (tiny.cc) URLs replaced. kail