Nytro

Hacker Dream Team, by Google July 15th, 2014, 14:36 GMT · By Ionut Ilascu Google has announced today Project Zero, a group of elite hackers formed to hunt down zero-day security risks in various pieces of software, not just in Google products. The members of the group are led by security engineer Chris Evans and all of them have proved their skills on numerous occasions, being credited for finding numerous security bugs in products developed by heavy-weight companies such as Google, Adobe, Microsoft, Apple or Sony. At the moment, the dream team is composed of Ben Hawkes, Tavis Ormandy, Ian Beer, and the latest addition, George Hotz, who has been given the status of “intern,” according to Wired. “You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications. Yet in sophisticated attacks, we see the use of ‘zero-day’ vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop,” said Chris Evans in the first blog post for the project. Project Zero is not limited to just these five super-hackers and is open for new talent. The team is expected to exceed ten full-time researchers working in an office equipped with all the necessary tools for finding software security glitches. The purpose of the project is touted as being primarily altruistic, but there is more to the idea behind it. Evans told Wired that increased user confidence in the security of the web also benefits Google “in a hard-to-measure and indirect way.” Security vulnerabilities are not leveraged by cybercriminals alone, as Snowden’s revelations showed that government organizations also used them for spying purposes. As such, Project Zero also increases the general confidence in Google’s posture for improving the privacy protection of customer information. Moreover, since a chain is as strong as its weakest link, Google products are also vulnerable if third-party content included in them presents a security risk. The security researcher told the online publication that “it’s a major source of frustration for people writing a secure product to depend on third party code,” and that a serious and skilled attacker would always go for the weakest spot. Project Zero offers companies whose product has been found vulnerable a tolerance of 60 to 90 days to issue a patch. After this period, the flaw will be disclosed publicly. If the flaw is already exploited in the wild, the tolerance limit drops to a week, since a larger period of time could mean more victims. The hacker dream team concentrates on bugs in specific areas to make sure that an exploit is rendered unsuccessful. Most of the time, defeating the protection measures implies leveraging a sequence of flaws, and if one of them is patched, exploitation is no longer possible. The team is confident that they’ll be able to successfully hunt down zero-day bugs and “step on some toes,” as Ben Hawkes puts it. Sursa: Hacker Dream Team, by Google

Thanks. Astept un fix de la vBulletin, un realease care sa repare problema, mai astept putin sa isi mai faca lumea update apoi public exploit-ul.

Stiu ca e probabil doar o obsesie a mea, dar daca nu puteti scrie un post incepand propozitia cu majuscula, macar cacatul de titlul sa il incepeti cu majuscula. Tutorial: Tinand apasata tasta Shift, apasati prima litera din titlu. Eliberati tasta Shift. Pentru avansati: Aveti grija sa nu aveti Caps Lock apasat. Multumesc.

Thanks. Postasem si pe forumul lor, dar au sters postul.

Author: Nytro @ Romanian Security Team All details will be available after a fix from vBulletin.

Faceti publice toate informatiile despre el. Jeg de om.

Mergi la Iasi.

Mergi la Iasi.

Si ati luat muie.

Nu am idee. Am primit un card (gift card) cu acel cod. Nu l-am incercat, dar banuiesc ca e bun.

Securitate complet? Aceast? solu?ie de protec?ie complet? permite utilizatorilor individuali ce folosesc orice combina?ie de PC-uri, Mac-uri?i Smartphone-uri sau Tablete cu sistem de operare Android s? î?i protejeze toate dispozitivele de amenin??rile informatice. Acest produs poate acoperi pân? la 3 utilizatori ?i este dedicat exclusiv folosirii la domiciliu! Fiecare utilizator poate proteja un num?r nelimitat de dispozitive. Am primit-o la Defcamp Sparks si nu o folosesc. Primii norocosi... Serial No: http://X44PC5M (Doar pentru userii inregistrati) Have fun.

Ai putea pune si tu un titlu normal.

Da, cred ca s-au terminat, ziceau cei de la suport ca au fost activate toate 5. Am sters din primul post licenta.

[TABLE=width: 626] [TR] [TD=width: 365, align: left]Renewal Kaspersky PURE 3.0 - 5 licenses (1 year)[/TD] [TD=width: 111, align: center]1[/TD] [TD=width: 75, align: right]$109.00[/TD] [TD=width: 75, align: center][/TD] [/TR] [TR] [TD=colspan: 2, align: center][TABLE=width: 476] [TR] [TD=bgcolor: #e5e5e5, align: center]Activation code: M19SY-VZ6BW-15VZF-REMOVED [/TD] [/TR] [/TABLE] [/TD] [/TR] [/TABLE] Am activat pe 3-4 calculatoare, deci ar trebui sa mai fie posibila activarea pe 1-2. Am rugamintea sa postati daca a mers sau nu. Nota: Kaspersky este dupa parerea mea cel mai bun antivirus, dar daca nu aveti un PC bun nu va obositi sa il instalati. Consuma extrem de multe resurse. Merge greu si un i5, cel putin cu setarile "paranoia" facute de mine.

Stiu ca e o porcarie, dar na, poate ii e util cuiva. Discount 10 euro pentru Agentie de turism – Oferte turism | Veltravel . Cod: VEL6MYLFGWR Valabilitate: 30 de zile calendaristice.

La mine, CodeBlocks + MinGW, la 1: 16777217.0 16777218.0 Am gresit pe 2. In C afiseaza "1". In C++ cu "-fpermissive" afiseaza tot "1". Nu am nici cea mai mica idee de ce. Restul le-am stiut.

Imi cumparasem pentru un an, dar nu il mai folosesc. Nu mai are chiar un an de valabilitate, dar cred ca mai e destul. Username: nytro Email: admin -at- rstforums . com Creation Date: 2014-02-17 (17.02.2014) Expiration Date: 2015-03-17 (17.03.2015) VPN Country: RU Plan: Dedicated IP Type of IP: UDP/1194 Assigned IP: 185.17.1.188 ---------------------------------------------- User: nytro Password: http://rstrullz (fara http - ca sa vada doar Registered users) ---------------------------------------------- Nu schimbati parola. PS: Nu puteti schimba adresa de mail fara "acordul meu". Asadar nu va obositi sa schimbati parola.

Bypassing Windows 8.1 Mitigations using Unsafe COM Objects In October last year I was awarded the first $100,000 bounty for a Mitigation Bypass in Microsoft Windows. My original plan was to not discuss it in any depth until Microsoft had come up with a sufficient changes to reduce the impact of the bypass. However as other researchers have basically come up with variants of the same technique, some of which are publically disclosed with proof-of-concept code it seemed silly to not discuss my winning entry. So what follows is some technical detail about the bypass itself. I am not usually known for finding memory corruption vulnerabilities, mainly because I don’t go looking for them. Still I know my way around and so I knew the challenges I would face trying to come up with a suitable mitigation bypass entry. I realised that about the only way of having a successful entry would be to take a difficult to exploit memory corruption vulnerability and try and find a way of turning that into reliable code execution. For that reason I settled on investigating the exploitation of a memory overwrite where the only value you could write was the number 0. Converting a 0 overwrite of this sort, while not impossible to exploit, certainly presents some challenges. I also stated that I could not disclose the existing contents of memory. If you have an information disclosure vulnerability then it is generally game over anyway, so I was confident that would not pass for a winning entry. ActiveX and COM The attack vector for the mitigation bypass was safe-scriptable COM objects. As COM is a general technology, not limited to safe-scripted environments such as Internet Explorer, there are many unsafe objects which could be abused if they were allowed to be created. To prevent this, hosts, such as Internet Explorer, use two mechanisms to determine whether an object is safe for being used in the host environment, Category IDs and the IObjectSafety interface. The Category IDs, CATID_SafeForScripting and CATID_SafeForInitializing can be added to a COM object registration to indicate to a COM host that the object is safe for either scripting or initialisation. These are static indicators, and are not particularly of interest. Things get more interesting with the IObjectSafety interface which is implemented by the COM object. The host can call the GetInterfaceSafetyOptions method to determine whether a COM object is safe to script or initialise (of course this means that the object must have already been created). The interface also has a secondary purpose; once a host has determined that an object is safe it can call the SetInterfaceSafetyOptions method to tell the object how safe it needs to be. This method has a particular implication; it allows COM objects to be written in a generic way with potentially dangerous functionality (such as arbitrary script code execution) and then secured at runtime by disabling the unsafe functions. The typical way this is implemented is by setting flags within the object's memory to indicate the security of the object. This is the attack vector chosen. If we have a suitable memory corruption vulnerability it might be possible to change these security flags to convert a secure object back to an insecure one and use that to circumvent in-place mitigations. A related topic is the setting of an object's site. A Site is normally a reference to the hosting environment for the COM object, such as the OLE container or hosting HTML document. This makes a number of security related functions possible, such as enforcing the same-origin policy for COM objects in a web page (through querying for the IHTMLDocument2 interface and reading the URL property), zone determination or accessing the host security manager. Depending on what we attack we might need to deal with the Site as well. The important point of all this is by default there are many objects which are unsafe until certain flags are stored within the memory allocated for the object. Therefore the unsafe state of these flags is the value 0, where as the safe state is non-zero. This means that if we have got a 0 overwrite vulnerability we can reset the security flags back to the unsafe state and exploit the unsafe functionality of the COM object. Attacking MSXML To demonstrate an attack against scriptable COM objects a suitable object is needed. It must meet some set of criteria to allow us to use the memory corruption vulnerability to bypass mitigations. I determined that the criteria were: The object must be creatable in common COM hosts without significant security issues such as being blocked by policy or site locking The object must be available on default Windows installations or be extremely common The object must do something of benefit to an attacker when insecure, but not expose that functionality when secure (otherwise it would just be a security vulnerability) It must be relatively trivial to convert from secure to insecure through a minimal number of zero memory overwrites The COM objects chosen for the demonstration are implemented by the MSXML libraries. Windows 8.1 comes with versions 3 and 6 of the MSXML library installed by default. They are pretty much considered de-facto secure as without them some websites would break; therefore there are no issues with site-locking or blacklisting. They can even be created in the immersive version of IE without issue. They also have some significant functionality when insecure, namely the ability to circumvent same-origin policy and also to execute fully-privileged scripts within the context of XSL transformation. So MSXML meets the first three criteria, but what about the 4th? Many of the objects that MSXML exposes implement the IObjectSafety interface which is the mechanism through which safety is enabled as shown above. The object also supports the INTERFACE_USES_SECURITY_MANAGER flag which means that the object will utilise the security manager from the hosted site to make some trust decisions. Through reverse engineering the safe objects such as DOMDocument and XMLHTTP, it can be seen that they all contain the COMSafeControlRoot structure, which is used to implement the IObjectSafety and security manager features. In MSXML3 this consists of 6 fields, in the default insecure version these values are all NULL, while in a secure version they contain pointers to site objects and security managers as well as the current security flags set through SetInterfaceSafetyOptions. The rough outline of this structure is shown below: Through inspection, I found that of the 6 values in memory only two were important when it came to bypassing the security mechanisms. This was a pointer to the host security manager at offset 4 and the security flags at offset 20. Crucially these can be reverted back to NULL without causing any other significant effect on the object’s functionality. This means that a very restricted memory corruption could achieve the desired effect, namely our overwrite with zero. Finding an Object in Memory The biggest issue with this technique is that whilst it would be easy enough to modify an object in memory to disable the security without an information disclosure vulnerability, we would not know where it was. If you had an information disclosure vulnerability you probably would not need to use this technique at all. The bypass must be able to guess the location of a valid object in memory and attack it blind. The design of typical scriptable COM hosts come in handy here to achieve this goal. They usually allow you to create an arbitrary number of new objects, this allows for the heap to be flooded with object instances The allocation of COM objects is up to the COM library to implement; therefore it might not be using best practice or it might disable security mitigations The scripting ability allows for executing specific sequences of operations to improve reliable allocation patterns In the general case this makes it a lot easier to use a heap flood technique to generate a reliable pattern of objects on the heap and of a large enough size to guess the location of an object. If a regular pattern of objects can be achieved we can use an arbitrary overwrite to modify values in memory through a guessed location and then find the insecure object to execute our code. There are some issues with the heap improvements in Windows 8. For a start there is a new mitigation called Low Fragmentation Heap Randomisation. The Low Fragmentation Heap (LFH) is a special memory heap used for small allocations to reduce the amount of memory fragmentation that occurs during allocation and freeing of memory. In Windows 8 the order of what blocks is allocated has a random element to it. This makes it more difficult to lay out guessable patterns of allocations. At least once you start allocating 1000s of objects it is still possible to find some level of reliability for allocations. However MSXML3 provides an ideal case, presumably for legacy reasons when running on a multi-processor system it creates its own heap passing the HEAP_NO_SERIALIZE flag. This means that the LFH is disabled which also disables some of the heap improvements in Windows 8. This makes the heap flooding considerably more reliable. The targeted COM object in that library is MSXML2.XMLHTTP.3.0. This is because this object has a considerably smaller heap footprint than DOMDocument which would be the more obvious choice. As long as the object is opened you can read the requestXML property (even without sending the request) to get a DOMDocument object. This document inherits the security settings of the parent XMLHTTP object which allows us to modify XMLHTTP and then use that to execute arbitrary script code. To lay out the heap the provided PoC creates 40,000 instances of XMLHTTP and stores them in an array. Each instance also has the ‘open’ method called on it and a request header set to increase the allocation size for a single object. This results in a repeating 8192 byte pattern of objects being created in memory which looks similar to the following: The actual code was quite simple: Once the heap was flooded the next step was to write the 0 values to a guessed address. The address was chosen empirically, and for the proof-of-concept the overwrite was actually performed using a custom control rather than a real memory corruption vulnerability. By guessing the base address of an object and writing 0s to offsets 4 and 20 we will have disabled the security on one XMLHTTP object, we just need to find which one. For that, the proof-of-concept just enumerated all allocated objects trying each one in turn with a XSL document with an msxsl:script tag containing JScript to start notepad. If the object is still secure then this process will throw an exception, if not we succeeded, notepad has been executed and we can stop looking. Real World Zero Overwrites Of course this entire bypass is predicated on finding a vulnerability which allows you to do an arbitrary overwrite with a 0. How likely is that in the real world? Well honestly I can not give any figures but don't forget that 0 is the typical default state for values, so any code which tries to initialize a value under an attackers control will probably set it to zero. A good example is COM itself. Every COM object must implement the IUnknown interface, the first function QueryInterface is used to convert the object to different interface types. It takes a pointer to the IID and a pointer to a pointer for the returned interface, assuming it supports the required interface. It is recommended that if the object doesn't support the interface it should ensure the outbound pointer is set to NULL before returning. If you've already guessed the location of a COM object you might only be a V-Table dereference away from your coveted arbitrary zero overwrite. Conclusions Obviously this particular example has limitations. It only worked reliably in 32 bit versions of IE as heap flooding is very difficult to do in a reliable way on 64 bit. Of course if you combined this technique with a memory disclosure vulnerability you can achieve code execution without needing to control EIP. The technique is more general than just COM objects in IE. Any structure in a program which has both safe and unsafe functionality is a suitable target. The PoC was necessary to demonstrate the potential. It is interesting that techniques like this are subject to convergent discovery, I wasn't the only person to stumble upon a similar idea, the only reason it is an issue now is the easy routes of exploitation have been closed. Sursa: Bypassing Windows 8.1 Mitigations using Unsafe COM Objects

PE: Portable Executable. Adica .exe, .dll, .sys, nu conteaza limbajul. Dar imi place mai mult asta: https://rstforums.com/forum/86741-cff-explorer.rst

PE Insider PE Insider is a free Portable Executable viewer for the community. It shares the same codebase for inspection as Cerbero Profiler and hence it supports the entire PE specification and is incredibly fast and stable. Click here to download the setup. Sursa: Cerbero - PE Insider

CFF Explorer [TABLE] [TR] [TD]Small announcement: the CFF Explorer was started as a side project many years ago. While I will continue to release updates from time to time, it is not going through radical improvements. If your organization needs professional PE inspection (not editing), then you might take a look at Cerbero Profiler (the commercial product of my company), which properly supports many file formats beyond the complete Portable Executable specification. In addition to that we also offer a completely free PE viewer for the community called PE Insider. [/TD] [TD] [/TD] [/TR] [/TABLE] Created by Daniel Pistelli, a freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86 and x64. - Explorer Suite (Multi-Platform Version, Recommended) SHA1: 89CAB44D4956210570AB3123FBF13B2B7D870B91 - CFF Explorer (x86 Version, stand-alone, Zip Archive) SHA1: 7A287CD97BD9287C020C98C3496E284D04F5382D - CFF Explorer Extensions Repository The CFF Explorer was designed to make PE editing as easy as possible, but without losing sight on the portable executable's internal structure. This application includes a series of tools which might help not only reverse engineers but also programmers. It offers a multi-file environment and a switchable interface. Also, it's the first PE editor with full support for the .NET file format. With this tool you can easily edit metadata's fields and flags. If you're programming something that has to do with .NET metadata, you will need this tool. The resource viewer supports .NET image formats like icons, bitmaps, pngs. You'll be able to analyze .NET files without having to install the .NET framework, this tool has its own functions to access the .NET format. Useful links: - How to write a CFF Explorer Extension - CFF Explorer Scripting Language Documentation (v2) - CFF Explorer Scripting Language Documentation (v1) - CFF Explorer Extensions Repository Features: Process Viewer Drivers Viewer Windows Viewer PE and Memory Dumper Full support for PE32/64 Special fields description and modification (.NET supported) PE Utilities PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer) View and modification of .NET internal structures Resource Editor (full support for Windows Vista icons) Support in the Resource Editor for .NET resources (dumpable as well) Hex Editor Import Adder PE integrity checks Extension support Visual Studio Extensions Wizard Powerful scripting language Dependency Walker Quick Disassembler (x86, x64, MSIL) Name Unmangler Extension support File Scanner Directory Scanner Deep Scan method Recursive Scan method Multiple results Report generation Signatures Manager Signatures Updater Signatures Collisions Checker Signatures Retriever [TABLE] [TR] [TD] Download the Explorer Suite [/TD] [TD] [/TD] [/TR] [/TABLE] [TABLE] [TR] [TD] [/TD] [TD] [/TD] [/TR] [/TABLE] Sursa: NTCore's Homepage

Avem un plan mai bun pentru asa ceva.

Deocamdata e ok o singura categorie de lucruri "free". Daca se vor gasi multe chestii "premium" de postat, vom face o subcategorie. Deocamdata, la ce se posteaza acolo, are acces oricine.

Four months ago we reviewed Bitdefender Internet Security 2014. The developer has just released the 2015 version of the antivirus application, bringing in new features and improvements concerning usability. We had the opportunity to take a look at the new product a bit early and evaluate it for ourselves. July 9th, 2014, 16:00 GMT · By Elena Opris NOTE: Bitdefender Internet Security 2015 was tested on 64-bit Windows 8.1 Pro. Installation and interface The setup procedure is similar to the one in the previous edition. It is speedy and customizable in terms of installation directory and proxy settings. Although it is not mentioned anywhere in the installer, the tool integrates a couple of entries into the Windows Explorer context menu, in order to quickly scan and shred files, folders and drives. As far as the interface is concerned, Bitdefender preserves the same dark and green theme. However, the buttons are flatter now and some elements have been removed to make the look cleaner overall. [TABLE=align: center] [TR] [TD][/TD] [TD][/TD] [/TR] [/TABLE] Install Bitdefender and visit the main panel The largest three buttons in the main menu provide access to the protection and privacy modules along with tools, while four lesser buttons enable users to quickly perform a scan, check for virus definition updates, optimize the disk by resolving junk files, invalid registry keys and privacy issues, as well as navigate the Internet via Safepay, Bitdefender's proprietary web browser which ensures secure online transactions. The autopilot mode can be activated with one click to apply optimized settings and let the application handle any threats automatically, thus letting users proceed with their usual PC activities. If disabled, it is possible to select an ideal profile based on the type of activity: standard, work, game or movie. PC protection configuration Bitdefender implements six layers of protection against viruses, worms, Trojans, rootkits, adware, spyware, and other types of malware: antivirus, vulnerability scans, antispam, firewall, web protection, and intrusion detection. [TABLE=align: center] [TR] [TD][/TD] [/TR] [/TABLE] Go to Protection to view all security modules Computer scans can be performed quickly to look into the usual hiding places of the system, such as Program Files and the Windows directory. When it comes to scan configuration, it is possible to adjust the on-access scanning and active virus control levels (permissive, normal, aggressive), create exclusions (files, CD/DVD and USB devices, mapped network drives) and personalize quarantine settings (e.g. delete old content). Additional scan options focus on the file types to take into account (all, only programs, archives) and types of objects to target (e.g. boot sectors, memory, registry, cookies, rootkits). These settings are also applicable to scheduled scan tasks. [TABLE=align: center] [TR] [TD][/TD] [TD][/TD] [/TR] [/TABLE] Configure antivirus settings and manage scan jobs Custom scans can be scheduled and created by specifying the exact files, directories and drives to verify, along with the severity level to favor either resources consumption or speed. They can be set to run with low priority, minimize the scan wizard to the system tray, as well as to shut down the PC, close the scan window or just show the summary window if no threats are found. Just like in the 2014 version, this new edition contains Rescue Mode, a feature that should be used in critical scenarios when the computer can no longer boot properly due to virus malware infiltration. [TABLE=align: center] [TR] [TD][/TD] [TD][/TD] [/TR] [/TABLE] Configure vulnerability settings and run a scan Vulnerability scans verify the operating system for weak points by looking into critical Windows updates, application updates, weak passwords, and media autorun. The antispam module filters emails in clients using the POP3 protocol, in order to weed out dangerous or unwanted messages. It can be set to block emails written in Asian or Cyrillic characters, submit spam and legit samples to the cloud to share information with other users in the Bitdefender community, as well as manage email addresses and domains separately for friends and spammers. [TABLE=align: center] [TR] [TD][/TD] [TD][/TD] [/TR] [/TABLE] Configure antispam and firewall settings Bitdefender comes packed with its own personal firewall that is automatically turned on at installation while deactivating the Windows Firewall to prevent any conflicts. It can block Internet Connection Sharing and network port scans, monitor wireless connections, follow pre- and user-defined rules to allow or deny Internet access to active processes, as well as manage network adapters. Web protection is provided by default via Search Advisor (a browser assistant that indicates trustworthy and suspicious websites), SSL scanning, along with shields against fraud and phishing links. The Bitdefender Toolbar is optional and includes the previously mentioned components which can be easily activated and deactivated with one click, together with a sandbox feature that confines all browsing activities into a virtual and secure environment. Any URLs can be excluded from the web protection module by adding them to a whitelist. [TABLE=align: center] [TR] [TD][/TD] [TD][/TD] [/TR] [/TABLE] Configure web protection and intrusion detection settings Lastly, the intrusion detection system is a safety measure against hacker attempts to get in the computer and corrupt data. It prevents any modifications to the critical system files and registry entries, informs users about DLL injection-based attacks and blocks the installation of malware drives. Its severity level can be set to permissive, normal or aggressive. Privacy configuration Bitdefender's privacy component has multiple purposes. It can securely delete files via File Shredder (also accessible via the Explorer context menu) to prevent third parties from recovering them using specialized tools, as well as monitor children's activity online and keep track of lost or stolen notebooks or Android devices via the parental control features (it requires online registration, free). [TABLE=align: center] [TR] [TD][/TD] [TD][/TD] [/TR] [/TABLE] Configure privacy settings and manage the Bitdefender Apart from the Safepay feature which was previously discussed, Bitdefender includes a Wallet that saves all login credentials to any sites when surfing the Internet (supported by Internet Explorer, Mozilla Firefox, Google Chrome), apps, email clients and wireless connections, putting them in a safe location protected with a password which is requested at every system startup (handy if the PC is shared with other users). It can be exported to file and imported on another computer running Bitdefender. New tools Internet Security 2015 brings additional tools dedicated to PC tuneup. OneClick Optimizer looks for junk files that unnecessarily take up disk space, invalid registry entries which may prevent system issues, along with browser traces that may compromise the user's activity, such as cache, cookies, temporary files and visited links. [TABLE=align: center] [TR] [TD][/TD] [TD][/TD] [/TR] [/TABLE] Visit the tools section and optimize the system with one click Startup Optimizer gives users the possibility of delaying or disabling apps which automatically run at system boot to increase Windows startup speed, as well as to view the boot time of each program and overall system. [TABLE=align: center] [TR] [TD][/TD] [TD][/TD] [/TR] [/TABLE] Manage autostart entries and clean up the PC PC Cleanup can be performed with typical settings to take into account browser cache, error reporting files, memory dumps and Windows junk files, or with customized options by excluding any of these areas. [TABLE=align: center] [TR] [TD][/TD] [TD][/TD] [/TR] [/TABLE] Defragment the disk and clean the registry A disk defragging tool allows users to select the exact drives to analyze and reduce fragments on and ensure better computer performance, while the registry cleaner tool previously mentioned in the OneClick Optimizer module can be separately run and personalized in terms of registry areas to clean (after analyzing all of them). [TABLE=align: center] [TR] [TD][/TD] [TD][/TD] [/TR] [/TABLE] Restore registry backups and identify duplicate files All registry keys are automatically backed up before removal, and they can be restored using a separate component. Furthermore, Bitdefender integrates a function that identifies and removes duplicate files in order to free up disk space and declutter the system. As far as profile configuration goes, it is possible to enable real-time optimization and let Autopilot manage profiles, activate battery mode for notebooks, as well as make some tweaks to the work, movie and game profiles, such as postponing Windows automatic updates along with user-defined background programs and maintenance tasks, as well as adjusting the power plan and visual settings for movies and games. [TABLE=align: center] [TR] [TD][/TD] [TD][/TD] [/TR] [/TABLE] Manage profile settings and examine events A feature available in the 2014 edition too, Safego is specially designed for Facebook to scan all links sent and received from friends via various locations like News Feed and comments, in order to make sure they are not infected with malware. It can be remotely accessed and has a mobile version available for smartphones. Events concerning each major component can be examined in a log area. In addition, Bitdefender automatically sends a weekly report with the security status and improvement tips, provided that the user is logged in. It is possible to password-protect the entire application and manage the automatic update frequency. Performance results A collection of 8,502 virus samples was submitted to the test, in order to verify Bitdefender's threat detection ratio. The test machine was an Intel Core i5-3470 @CPU 3.20GHz with 12GB RAM and 500GB Seagate Barracuda ST500DM002 7200RPM, running Windows 8.1 Pro. Default settings were applied. The collection did not include zero-day threats.The real-time guard was excellent! As soon as we triggered the extraction procedure of the 8,502 virus samples from the password-protected archive, Bitdefender immediately picked up on it and started eliminating files while remaining completely silent (no kind of notifications were shown). In the end, it left behind only 225 files. In the next step, we proceeded with a contextual scan to find out whether the tool was capable of detecting and removing more files, and we were right. It detected and eliminated 207 extra files, leaving behind only 30 items. Overall, Bitdefender had a success rate of 99.6%. In order to evaluate the app's scan speed, we ran a system scan (the primary drive had 156GB occupied space). Default settings were applied. Bitdefender finished the scan job in roughly 1 hour and 36 minutes. No false positives were spotted in these tests. CPU and RAM consumption was minimal. The tool was completely stealthy. The Good The redesigned interface definitely looks cleaner than the old one. Bitdefender's firewall has been simplified to allow less experienced users to configure it. The new profiles for work, games and movies have handy customization settings. The real-time guard is highly responsive and does an excellent job. Virus detection ratio was outstanding. Scan jobs were fast, while CPU and RAM usage was low. The Bad Although the interface is pretty attractive overall, some windows blend together depending on the order in which they were accessed. The duplicate finder takes a really long time to sort files into groups after finishing a scan job. The app sometimes becomes unresponsive when attempting to stop or cancel scan jobs. The Truth The new toolbox with PC tuneup features was not really necessary for an antivirus utility, since other apps which specialize in this category offer more advanced settings. Nevertheless, they are welcomed to quickly resolve common issues, in addition to the new profiles with optimized settings for working, gaming and watching movies. Built to last, Bitdefender continues to dominate the anti-malware solutions community. Since this is a brand new edition, professional tests have not been carried out yet (e.g. AV Comparatives, Virus Bulletin), but we're certain that Bitdefender Internet Security 2015 will continue to impress as far as real-time responsiveness, virus detection ratio, scan speed and resources consumption are concerned. Sursa: Bitdefender Internet Security Review

Isolated Heap for Internet Explorer Helps Mitigate UAF Exploits by Jack Tang (Threats Analyst) In the recent Microsoft security bulletin for Internet Explorer, we found an interesting improvement for mitigating UAF (User After Free) vulnerability exploits. The improvement, which we will name as “isolated heap”, is designed to prepare an isolated heap for many objects which often suffers from UAF vulnerabilities. Let’s use Internet Explorer 11 as an example. Before it was patched, the function CHeadElement::CreateElement allocates memory space from the heap. The code is as follows: Figure 1. The function CHeadElement::CreateElement From Figure 1, we can see the memory space is allocated from the heap g_hProcessHeap, which is the IE default heap. In other words, all these IE objects share the same heap. After the patch, in the sample location, the code was changed to the following: Figures 2 and 3. The function CHeadElement::CreateElement after the patch From Figures 2 and 3, we can see that Internet Explorer now allocates memory space from the heap g_hIsolatedHeap. In other words, these class objects which use the isolated heap do not share the same heap with IE’s other objects. How can an isolated heap mitigate UAF vulnerability exploits? The first routine of UAF vulnerability exploits is to use controlled objects to occupy the memory space which is owned by the UAF object. Some recent Internet Explorer zero-day vulnerabilities such as CVE-2014-0322 and CVE-2014-1776 used this technique. We can summarize the technique of occupying space in the following steps: Use String or Array to make a buffer which can be controlled by attacker. For example: “var d=b.substring(0,(0×340-2)/2);” Create an IE element object. For example: “g_arr[a]=document.createElement(‘div’)” Trigger vulnerability to free the target object. Set the attribute of the objects which is created by step 2 for many times with the String which is created in step 1. For example: for(a=0;a<arrLen;++a) { g_arr[a].className=d.substring(0,d.length); } In step 4, IE will allocate memory space in the heap g_hProcessHeap. In the example for step 4, we can see the following part of the call stack: Figure 4. The function CAttrArray::Set() calling the function RtlAllocateHeap() In figure 4 we see CAttrArray::Set() calling the function RtlAllocateHeap(). The call stack is done with the following code: Figure 5. It uses RtlAllocateHeap with heap “g_hProcessHeap” and then copies the String ‘s data to this buffer. Before the latest patch, if the RtlAllocateHeap has the correct size, the probability that an attacker-controlled buffer could occupy the freed object’s memory space is high. But after the latest patch, the freed object is allocated in heap g_hIsolatedHeap, so there is no probability that the freed object memory space is occupied by the attacker-controlled buffer. The solution is a good way to mitigate UAF vulnerability exploits. From the patch‘s code,the heap g_hIsolatedHeap is used by HTML and SVG DOM Elements (CXXXElement) and supporting elements such as CTreeNode, CMarkup, CAttribute and so on. These objects have a high probability of having the UAF vulnerability, so it is important that they are secured through the isolated heap. Can the isolated heap solution mitigate UAF vulnerabilities completely? No solution is perfect. The improvement implemented by Microsoft raises the difficulty in creating an exploit, but it does not eliminate the vulnerability completely. There are two theoretical ways to bypass this protection: If attackers can find an object which meets the following three criteria instead of String: Allocated with the isolated heap. Correct size for the UAF object. Easily control the content of the object. What is not clear is if attackers can find a reasonable way to perform the above attack. Many objects are still using the process heap, not the isolated heap. If these objects encounter UAF vulnerability, the isolated heap solution doesn’t work. However, Microsoft can easily add objects to use the isolated heap if this becomes a problem down the road. We are glad that Microsoft is continuing to improve the security of Internet Explorer and mitigating the abuse of vulnerabilities. While the isolated heap is not a perfect solution, it represents a significant improvement that will help mitigate attacks of this type moving forward. Sursa: Isolated Heap for Internet Explorer Helps Mitigate Exploit | Security Intelligence Blog | Trend Micro