New IE Vulnerability..... (eh?)

New IE Vulnerability everyone is being urged to ping pong between browsers!

The reality is: No single browser can guarantee no vulnerability, so instead of ping ponging users from one browser to other and thinking that browsers should and can offer security, lets accept that these vulnerabilities are bound to happen and protect ourselves with proper security products like CIS!

AVs are totally useless against these type of attacks as we have seen, but Prevention based products like CIS (especially our Memory firewall/Safesurf) stops these attacks on their tracks!

Just like not every human being is not expert at defending themselves, not every application can protect themeselves! They need to be protected! That’s where the power of “prevention based protection” comes in to play like CIS.

So IE users, just enable Memory firewall and surf in safety!

I have attached a screenshot our safesurf preventing this nasty on its track!


[attachment deleted by admin]

Thats great Melih :slight_smile:
Btw, would adding some sort of browser sandboxing with integrated into safesurf/CMF be something comodo would consider?

Nice, but it would have been even nicer if the AV would have picked up something as well. With a threat that was big enough for Microsoft to release an unscheduled patch\update, that would have been reassuring “news” about the weakest link of the CIS package.

And apparently it’s not impossible:“We have conducted tests in a controlled environment and found that exploits are consistently stopped by Sophos Anti-Virus using detection Exp/Datbi-A, Mal/JsShell-B or Mal/JShell-E.”

I think the point is missed that it is stopped by Safe Surf before the
payload gets a chance to be delivered.
Which would be when an AV may or may not see it.

Did Comodo actually test this beyond merely having it blocked, like was done by Sophos? The AV component of CIS is not there for nothing.

Would CIS have detected anything at all at an early stage (or does it now)? That’s the point I am making.

From what I read:

SophosLabs testing result: Sophos Anti-Virus includes a buffer overflow protection module which generically prevents exploits attempting to exploit this vulnerability.

Either way, Comodo also prevents this using it’s own buffer overflow. And so does Sophos, But how do you know other Vendors might not “detect” and Sophos is the only one to detect it?


Your quote from the Sophos blog is beside the point. I know they have some sort of HIPS and suggest enabling it. But as you can see their AV picked up the problem as well. Melih did not say a word about the AV component of CIS, which is a shame knowing the severity of the problem.

Unless this applies to CIS, of course:“AVs are totally useless against these type of attacks as we have seen”.

What was it again? Prevention, Detection, Cure, I believe.

This specific vulnerability is trapped by MS-DEP (if enabled) or Comodo BO protection engine (which extends DEP and includes ret2libc protection).

Anyway regardless of any additional protection and/or mitigating factors I hope that many IE users will restrict Internet Explorer usage only on Microsoft owned sites.

Internet explorer is still the most targeted browser and its usually better compatibility it is not really due to a superior and efficient design but to its legacy support to MS non standard implementation that due to IE marketshare and MS bundling policies, encouraged many web-designer to overlook standard compliance.

While IE was designed to be a jack of all trades, ranging from simple browser to tightly integrated core windows component, some of its legacy design decisions, like activex support, albeit providing an unparalleled flexibility were and still are one of the most concerning security weakness for many unaware windows users.

As for antivirus detection, even though it would be possible to detect specific versions of the same exploit there are actually many ways to prevent AV detection in first place.

Prevention, whereas software and/or user enforced, would still provide a more effective security.

That’s great Melih, however I am not interested in installing Safe surf tool bar. Hopefully when CMF is integrated into CIS, we won’t have to install safesurf toolbar to have it active.


PS I am using FF but it still has other Bufer overflow vulnerabilites, as do some other programs that have access to the internet that are not protected by safe surf.

If you ask my opinion, Crackers will soon find anothet hole in IE that is most likely included in previous versions also. But as long we have Comodo up and running, we can be worry free, since the crackers are most likely to use some “old” malware once the code to succesfully use the hole for own gains is released to internet and sold to someone who will spread it. The only thing we should worry about, are the professional Crackers that will create a new, very nasty piece of malware once they find the new security issue. But since they would probably use same kind of buffer owerflow attacks like todays malware use, would Safe surf and CMF prevent them from doing any major harm to our computers.

And a question that has no relations to this subject, but i jsut must ask it. Is Comodo going to expand CIS or atleast CFP to Mac and Linux? I bet a huge amount of people using Linux and Mac operating systems would become extremely happy. Especially now, that attacks against Mac are increasing since it is gaining even more powerfull position on markets than it had few years ago.

I think LinkScanner Pro was/is able to stop such attacks. Didn’t try though.

at the time of me sending the 0day code to melih, cis’s av detected 1/2 of the payloads

shortly after submitting i removed the file, and a day or two later the payload was dead

either way, no worries run windows update, patch already available

PS a chinese company publically released the exploit code thinking it was already patched(on patch tuesday), it wasn’t

they really didn’t help matters :stuck_out_tongue:

It has already been suggested before. Let’s hope! :slight_smile:

Hey xiuhcoatl and anyone else that is misunderstanding Safe Surf.

Safe Surf protects against all applications buffer overflow.
It is not tied to the browser.
The whole toolbar thing was a marketing decision that has caused a lot
of confusion.
If you don’t want the toolbar Uninstall it. It has a separate uninstaller in
windows add remove programs list.

For the few seconds it takes to remove the toolbar, getting Safe Surf
is so very worth it.
As evidenced by this recent exploit, and your own words re: the
potential for other internet facing apps to become attack vectors.

I dislike tool bars as much as anyone, but for the minuscule effort of
removing it to get some great FREE software you won’t find me
whining about it.

Peace Out

You see with a BO attack, there simply is no point in having an AV trying to play the catch up with ever changing payloads. Simply prevent the BO attack in the first place, eg: remove the vulnerability that causes a payload to be injected in the first place.


Why not release SafeSurf as a plug-in instead of tied into a toolbar (especially one that I won’t install for anything no matter how good the app may be)?

While I agree with you, you still can install SafeSurf. You just have to uninstall toolbard afterwards. But, would be great to see Comodo ditch the toolbar. I would rather donate to Comodo than to use the toolbar to help them out.

Thanks B. Frogger
I did not know that. I will probably try it again. I installed the toolbar once and uninstalled it, but I had since Reformated and was using the old version CMF.

I will assume that I need to uninstall CMF prior to installing safesurf.

By the way I don’t know if your comment was directed at me, I don’t really care, but thanks for the cheese

to go with my whine



Nah I meant you no malice.
I could see that you misunderstood.
I too live in a bizzarro dream world induced by some of the finest
military brainwashing money can buy.
If and when I attack, I leave little to doubt.

Strange…I feel the urge to have a nice big chunk o cheddar.
■■■■ mind controlling subliminal messages.


PS: “I will assume that I need to uninstall CMF prior to installing safesurf” I would guess yes.

Hackers exploit IE bug with ‘insidious’ Word docs