Re: We got owned by the Chinese and didn't even get a "lessons learned"

[mark () vulndev org]

I'm not going to join in on the stuff above, this thread is erm..big
enough already.

However!

> As some colleague pointed out, the best HIPS ever should restrict
> program execution to "%ProgramFiles%" and "%SystemRoot%" (excluding
> "%temp%" and "%tmp%" maybe). Combined with a low privilege user, I don't
> think any existing spyware/malware/otherware would execute flawlessly
> with such restrictions.

would that be aslong as it doesn't exploit an object located in a place
allowed execution? .. if you're basing execution on trust, and there's a
flaw in a trusted location i'd imagine, but as ever I'm happy to be wrong,
that you could juse get around the "where is this executing from" by using
a vulnerable program as a trampoline..

you can restrict execution using policies etc to something similar,
trusted hashes, (whatever!) and the above situation will get you around
that as far as I know. you just need a flaw in a trusted executable then
use that to launch the next stage, more convoluted and prone to error I
agree.

I'll head back to the woodwork now.

Mark