funsec mailing list archives

Re: Texas Bank Dumps Antivirus for Whitelisting

From: Drsolly <drsollyp () drsolly com>
Date: Wed, 16 Jul 2008 23:13:04 +0100 (BST)

On Wed, 16 Jul 2008, Richard M. Smith wrote:

But don't infested document files install spyware .EXE files which will
later be caught by a whitelist?


Not all of them.

In addition, Vista will block document files which use buffer overflows to
do their dirty work.


Macro viruses don't use buffer overflows.

Richard

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
Behalf Of Alex Shipp (elist)
Sent: Wednesday, July 16, 2008 12:09 PM
To: funsec () linuxbox org
Subject: Re: [funsec] Texas Bank Dumps Antivirus for Whitelisting

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
Behalf Of David Harley

To be fair, the issue isn't really Word macro viruses: it's the fact that
they represent a class of objects where executable code is found in places
less obvious than a .EXE. A whitelisting solution that doesn't take them
into account is obviously less effective.


Whitelisting is fine as part of the solution, but it is obviously 
not appropriate for documents. Since the majority of industrial espionage
attacks
(via email) involve documents which exploit some bug in the executable 
which processes them, some other component is needed to cover this hole.

No doubt there are also many other holes, which makes me wonder if the 
bank has really thought this through.

Alex

-----------------------------------------------
Alex Shipp
Imagineer

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: Texas Bank Dumps Antivirus for Whitelisting, (continued)
- - Re: Texas Bank Dumps Antivirus for Whitelisting Florian Weimer (Jul 22)
    - Re: Texas Bank Dumps Antivirus for Whitelisting Alex Eckelberry (Jul 22)
    - Re: Texas Bank Dumps Antivirus for Whitelisting Richard M. Smith (Jul 22)
  - Message not available
    - Re: Texas Bank Dumps Antivirus for Whitelisting Richard M. Smith (Jul 15)
    - Re: Texas Bank Dumps Antivirus for Whitelisting Nick FitzGerald (Jul 15)
    - Re: Texas Bank Dumps Antivirus for Whitelisting Drsolly (Jul 16)
    - Re: Texas Bank Dumps Antivirus for Whitelisting David Harley (Jul 16)
    - Re: Texas Bank Dumps Antivirus for Whitelisting Richard M. Smith (Jul 16)
    - Re: Texas Bank Dumps Antivirus for Whitelisting Alex Shipp (elist) (Jul 16)
    - Re: Texas Bank Dumps Antivirus for Whitelisting Richard M. Smith (Jul 16)
    - Re: Texas Bank Dumps Antivirus for Whitelisting Drsolly (Jul 16)
    - Re: Texas Bank Dumps Antivirus for Whitelisting Richard M. Smith (Jul 16)
    - Re: Texas Bank Dumps Antivirus for Whitelisting Drsolly (Jul 16)
    - Re: Texas Bank Dumps Antivirus for Whitelisting Richard M. Smith (Jul 16)
    - Re: Texas Bank Dumps Antivirus for Whitelisting Drsolly (Jul 16)
    - Re: Texas Bank Dumps Antivirus for Whitelisting Richard M. Smith (Jul 16)
    - Re: Texas Bank Dumps Antivirus for Whitelisting Drsolly (Jul 16)
    - Re: Texas Bank Dumps Antivirus for Whitelisting David Harley (Jul 17)
    - Re: Texas Bank Dumps Antivirus for Whitelisting Alex Eckelberry (Jul 16)
    - Re: Texas Bank Dumps Antivirus for Whitelisting David Harley (Jul 16)
    - Re: Texas Bank Dumps Antivirus for Whitelisting Drsolly (Jul 16)

(Thread continues...)