I made a video about CIS 5.9 being bypassed by a fairly new exploit called ‘java rhino’.
You can read more about this exploit here [rapid7.com] and here [darkreading.com].
This video shows how easy it is to setup this exploit, and exploit a system. A user only has to visit a link and he/she is infected. CIS 5.9 is bypassed. There is not 1 alert given at all.
All modules of CIS are active. Settings are:
Proactive Security
Sandbox set to ‘untrusted’
The rest of the settings are just the stock proactive security settings.
PC runs on windows 7 SP1 64 bit fully updated.
Java versions is 6 update 27 (released on October 2011)
I’ve tested this exploit against a few other av’s and the results where:
Avast - protected system (detected exploit with signature)
Sandboxie – protected system After deleting contents in sandbox connection is broken
Noscript – protected system Will block the java applet/exploit
As you can see this is not only a CIS related problem. If a av does not have a signature for either the exploit and/or payload it will most likely by bypassed. Comodo’s D+ and FW did not help against this exploit.
To protect yourself against this exploit you can either:
Update you’re java version to version 29 or newer.
Uninstall java if you do not use it.
This will protect your PC against the java_rhino exploit. Java is one of the most exploited programs on the internet atm. There are new exploits coming out all the time.
Yes, Java needs to be installed. Problem is that tons of people got java installed, although they never make use of it. A lot of people got a outdated version of java installed too…
Looks like a hole that needs to be plugged, in the mean time keep your Java up2date or uninstall if you don’t use it.
Replace ‘Java’ with everything that plugs in to your browser as they could also be exploited one way or the other.
Yes, I hope so too. I think a possibility could be that Comodo just starts blocking all known payloads. This way a exploit could run, but it can’t make contact with the hackers machine. This would be more efficient then blocking all exploits I think.
When opening the page and starting the exploit Avast detected the exploit with a signature. It detected the exploit, not the payload. The PC was thereby not compromised.
Turning of the sandbox did not display any alert or intrusions for D+.
Changing the FW to custom policy will actually give the user the option to block the payload!
The user will see this alert: http://i802.photobucket.com/albums/yy305/webbie146/firewall.png
The alert does state that java.exe is a safe app and can safely be allowed. Users might get confused by this, and press allow. Anyways custom policy for the FW will give the users the option to block the payload :-TU
try this procedure disables antivirus, firewall, defense +, quit the CIS, terminate cmdagent, uncheck Run cloud behavior analysis based on unrecognized files and automatically check the files not recognized in the cloud
remove all files Trusted Files
important: delete all files in the folder C: \ Program Files \ COMODO \ COMODO Internet Security \ database
and restart the pc and redo the test
oops! after restart active antivirus, firewall and defense +, except the check in the clouds ;D
does not hurt to try :-TU
