SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Security)  >   SurfinGuard Pro Vendors:   Finjan Software
Finjan's SurfinGuard Pro May Fail To Block Certain Malicious Content
SecurityTracker Alert ID:  1000946
SecurityTracker URL:  http://securitytracker.com/id/1000946
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jan 7 2002
Original Entry Date:  Feb 20 2001
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.5 (beta)
Description:   It is reported that Finjan's SurfinGuard Pro 5.5 active content filtering product (a beta release) may fail to filter certain scripts that are programmed to run not when viewed, but when the viewing application is exited.

While a malicious script has been parsed but not fired, an application may be permitted by SurfinGuard Pro to open the malicious script. After the application exits, the script will then fire, thereby circumventing the SurfinGuard Pro filtering protections.

A demonstration exploit is provided in the original message.

Impact:   Malicious content (e.g., a web page, an e-mail message) could fail to be blocked by the SurfinGuard Pro software.
Solution:   The vendor has released a new version (5.6) that is not vulnerable.
Vendor URL:  www.finjan.com (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  CONTENT.filtering (aka SurfinGuard Pro 5.5 )


Saturday, February 17th, 2001

Referring to last month's HTML.dropper posting
(see: http://www.securityfocus.com/bid/2260), detailed examination of "buzz
words" like 'content filtering' 'real-time behaviour monitoring'
'first-strike protection' used to describe many security applications,
suggests otherwise.

For example purposes, we take the examination of one so-called content
filtering application: SurfinGuard Pro 5.5 from an interesting company
called http://www.finjan.com.

While at first glance, this particular security software package does
indeed defeat the HTML.dropper, on closer examination and with a 'bit' of
imagination we find that it is actually quite trivial to defeat.

Specifically, it would seem that in this particular security software
package's case, not only is it checking for legal MIME header
information, e.g. content-disposition:attachment;
content-type:application/malware; filename: iloveyou.vbs, it also prevents
real-time firing of scripts. But in order to defeat that all we need do is
set our scripts to fire on exit. That is, while the actual script has been
parsed but not fired, our malware application is still allowed to open by
this particular security software package . Thereafter onunload, it fires
thus defeating this so-called technology.

Working example below. Harmless "demo" code incorporated:

SurfinGuard Pro 5.5 settings set to "HIGH" and "PANIC MODE"

[right click and save to disk, open in mail client. Constructed for OE5.5]

http://www.malware.com/strikeme.eml

compared to:

http://www.malware.com/madness.eml

which is caught

notes:

1. Tested Software: SurfinGuard Pro 5.5 claims to be BETA and is free-ware.
2. Hopefully the registered versions and other products don't use the same
technology.
3. For good open-source filtering take a look at John D. Hardin's E-mail
Sanitizer
ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html and
Bjarni R. Einarsson's Anomy mail tools http://mailtools.anomy.net/


---

http://www.malware.com





_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC