Threaded Mode | Linear Mode

***Kye-U*** · Jul. 20, 2004, 03:18 AM

Version 4.10

Last Updated: July 19, 2004 - 11:18 PM EST

http://prxbx.com/forums/index.ph...topic=131&st=0#

-Disabled uncommon/old exploits, in order to lower CPU usage

-Modified (IE: Local Zone Access Exploit [Kye-U])
--Fixed (), [] issue
--Fixed False Positive

-Removed (Javascript Location Exploit [Kye-U])
--Overlapped with (View-Source Exploit [Kye-U])

***Kye-U*** · Jul. 20, 2004, 03:48 AM

Can someone help me in finding a way to decrease the CPU usage?

Siamesecat · Jul. 20, 2004, 03:49 AM

Code:

Name = "IE: Javascript showModalDialog Exploit [Kye-U]"

Replace = "<strong>[IE Javascript Pop-Up Window Object Type Exploit removed]</strong>"

Code:

Name = "IE: Known CLASSID-Crash [Kye-U]"

Replace = "<strong>[IE Explorer View Exploit Removed]</strong>"

Code:

Name = "IE: vbscript LoadPicture Exploit [Kye-U]"

Replace = "<strong>[IE Wildcard DNS Cross-Site Scripting Exploit Removed]</strong>"

Aren't these the wrong replacement messages?

***Kye-U*** · Jul. 20, 2004, 04:10 AM

Yes they are... Confused

Version 4.11 is out:

Last Updated: July 20, 2004 - 12:10 AM EST

http://prxbx.com/forums/index.ph...topic=131&st=0#

-Fixed Replacement text for: (IE: Javascript showModalDialog Exploit [Kye-U]), (IE: Known CLASSID-Crash [Kye-U]), and (IE: vbscript LoadPicture Exploit [Kye-U])

***sidki3003*** · Jul. 20, 2004, 08:47 AM

Kye-U Wrote:Can someone help me in finding a way to decrease the CPU usage?

Can you post a filter that has this problem and one (or better more) example links where it matches?
Maybe better as a separate thread in Q&A as this one is growing rapidly and is hard to follow. [lol]

As to CPU usage generally, the "Profile" button in the filter test window is your friend. Smile!

I have this rule of thumb for my 600MHz CPU:
For a standard 32K page where a filter doesn't match, it should take 1-4 ms for normal filters, 5-8 ms for those that are calling lists (and up to 30 ms for complex site-specific ones on match).

sidki

Ralph · Jul. 20, 2004, 10:19 AM

my "guess" is that SEVERAL of these security issues are NOT an issue if your browser is fully patched . ProxRocks is right . If your system is fully patched it should not be vulnerable to attacks . I removed all of Kye-U's security cfg and my system is back up to speed . I then tested it out @http://bcheck.scanit.be/bcheck/sid-e61f70a2409bc276b4cab7a1bf60ce8c/ and failed only one test , Cross-Domain Policy Exploit , for which there is no fix at this time other than disabling javascript . Siamese Cat is correct as well in that you need to pick and choose your filters based on what you may need or want to do . At least that's how it appears to this dummy !

***ProxRocks*** · Jul. 20, 2004, 10:27 AM

Amen to that...

Jaded_Goth · Jul. 20, 2004, 01:24 PM

ProxRocks Wrote:Generally speaking, my surfing habits are extremely safe - I don't do porn or warez or sh*t like that... Nor e-commerce, for that matter... That being the case, I don't "run into" the exploits that this security collection addresses anyway... NONE of these filters has shown up in my log while surfing... Doesn't mean that I don't need them for added security on the 'net, but not if it sacrifices CPU time...

http://bshagnasty.home.att.net/browsersettings.htm

I think this point needs to be addressed.For the benefit of the wider readership.

The notion that only those who visit Porn or Warez sites get hit by dialers,CWS,malicious active x or whatever is an utter fallacy.Sure,more bad things happen to those that indulge in such activity-but,that's perhaps poetic justice.

At the time of my search engine/homepage being hijacked,I didn't know half of what I do now about the nature of these things (Or how to avoid them-traditional apps ARE NOT enough.).

Fact is,you can run a search on Google using the default moderate safe search (meaning no explicit content)Type in an entirely inoccuos term and inadvertantly land on a malicious site.No,it wont be a Warez nor Porn site,it'll look as normal as bbc.co.uk...You'll have time to notice that in the split second your search engine is substituted.

Just to set the record straight.

***Kye-U*** · Jul. 20, 2004, 05:56 PM

Ok, I will stop the development and time spent on this pack.

If someone wishes to pick up my pack, and do whatever they wish with it, they may do so. But I am leaving the ZIP file up for interested users to take a look.

Siamesecat, you might be the one to take this post Wink

Then I can constructively criticize you. Big Teeth

Maybe I'll find an easier, less dynamic pack to develop in the future.

I'm sorry for this abrupt notice, but I felt that this pack was causing more problems than fixing them.

***ProxRocks*** · Jul. 20, 2004, 06:20 PM

It was eating up quite a bit of your time, that's for sure...
We do all appreciate the effort - hope you do know that...

I still do intend to narrow the focus down as to which are still needed under IE6 under Win XP SP2...

S'cat - have you come up with anything towards that end?

Siamesecat · Jul. 20, 2004, 07:01 PM

Old version:

Code:

Name = "IE: Cross Site Exploit [Kye-U]"

Match = "*\?*<script*alert\(document.*\)</script>*"

New version:

Code:

Match = "*\?<script*alert\(document.*\)</script>*"

I believe the script tag does not always come right after the question mark. This is easy for anyone to fix. Just use the older version of match.

People, I just had in idea about speeding things up a bit. If you take filters that simply remove expressions without wildcards, like any of these, you could substitute a nonsense expression and just delete the bounds.
"view-source:"
"window.moveBy"
"clsid:55136805-B2DE-11D1-B9F2-00A0C98BC547"
"dynsrc=$AV(file://"
"external.AutoScan"
"clsid:0CF32AA1-7571-11D0-93C4-00AA00A3DDEA"
"window.createPopup"
The byte limits could then be decreased to the length of the expression substituted and that would also help with the speed. You would end up with straight string substitution filters which would still be effective. The original default.cfg has many such filters and works well. Look at the OnUnload Unloader, for instance. Keep the Alerts if you like, but both printed line and alert are not really necessary.

***sidki3003*** · Jul. 20, 2004, 07:30 PM

Siamesecat Wrote:Old version:

Code:

Name = "IE: Cross Site Exploit [Kye-U]" Match = "*\?*<script*alert$document.*$</script>*"
New version:

Code:

Match = "*\?<script*alert$document.*$</script>*"
I believe the script tag does not always come right after the question mark. This is easy for anyone to fix. Just use the older version of match.

Here is an old Scott filter - part of JD's 10-24 set.
It targets the same thing and has no CPU issues.

Code:

[HTTP headers]

In = FALSE

Out = TRUE

Key = "URL-Killer: Disable Script URL Exploits (Out)"

URL = "*<(script|object|applet)"

Replace = "Script killed\k"

sidki

***ProxRocks*** · Jul. 20, 2004, 07:31 PM

Ralph Wrote:http://bcheck.scanit.be/bcheck/sid-e61f70a...cab7a1bf60ce8c/

Very impressive test site...
I ran it with Proxo BYPASSED and failed that same one - and ONLY that one...
I'm only on SP1 here - my SP2 RC2 is at home - I'm half suspecting it to not even fail that one...

Jaded_Goth · Jul. 20, 2004, 07:37 PM

Kye-U Wrote:Ok, I will stop the development and time spent on this pack.

If someone wishes to pick up my pack, and do whatever they wish with it, they may do so. But I am leaving the ZIP file up for interested users to take a look.

Siamesecat, you might be the one to take this post

Then I can constructively criticize you.

Maybe I'll find an easier, less dynamic pack to develop in the future.

I'm sorry for this abrupt notice, but I felt that this pack was causing more problems than fixing them.

Kye-U,don't take it to heart.All that's happened here is people are taking a more analytical stance.There's no reason non-applicable filters can't be de-activated according to which incarnation of "Inbreed Exploiter" (as my friend calls it) is being run.

It's wonderful that people are brainstorming and asking questions.The great Proxo revival starts right here.Soon,perhaps you won't have to carry such a huge weight on your shoulders,alone.

You have been working flat out on this,releasing new configs almost daily.Perhaps you don't need to capitulate to pressure like that.Release a new final config every month or so.In the interim,folks can thrash out the finer points of the Beta versions.Share the brain-strain.

***Kye-U*** · Jul. 20, 2004, 08:58 PM

Jaded_Goth Wrote:Release a new final config every month or so.

Good idea

And Siamesecat, you suggest that now... <_< But good idea Eyes Closed Smile

I will try it in version 4.12.

I'll try once more...