Threaded Mode | Linear Mode

***Kye-U*** · Dec. 31, 2005, 10:29 PM

Thanks Smokey, I appreciate it Smile!

***Kye-U*** · Dec. 31, 2005, 10:31 PM

Version 4.52 is Released!

Last Updated: December 31th, 2005 - 5:28 PM EST

What's New?

Quote:[-Version 4.52-]

-Modified (Windows: Kill Infected .WMF Files [Kye-U])
--Made matching expression look for the exploit code-sequence itself
--Increased Bytes Limit in order to match new variants of exploit (larger)
--Modified Alert message slightly
--Renamed to (Windows: Kill Suspected WMF-Exploit Files {P} [Kye-U])
---P stands for Pending
---as Microsoft has not released an official fix, but hopefully will soon.
---if they never do, this filter will remain in this set.

-Modified (Host: All File Extensions Force Filter {JJoe} (out)
--Renamed to (Host: All File Extensions Force Filter {P} {JJoe} (out))
---Same issue as (Windows: Kill Suspected WMF-Exploit Files {P} [Kye-U])

http://prxbx.com/forums/viewtopic.php?p=1115#1115

Download here!

MD5: 9D3369BE3A3BA7D17D282AE84C02C39F

***Kye-U*** · Dec. 31, 2005, 10:50 PM

For those who have problems with Proxomitron after merging this set, try my standalone version.

http://prxbx.com/forums/docs/Kye-U.Brows...dalone.zip

Download, Extract to Your Proxomitron Folder, Open Proxomitron.exe, click on Load Config, select "Kye-U.Browser.Security.Pack.v4.52.Standalone.cfg".

(The difference in this one is that it has window settings and everything a normal config has)

***Kye-U*** · Jan. 02, 2006, 10:09 AM

Version 4.53 is Released!

Last Updated: January 2, 2006 - 5:08 AM EST

What's New?

Quote:[-Version 4.53-]

-Added (Content-Type: !!!Filter All File Types {P} [Kye-U] {JJoe} (In))
--Changes content-type for GIF files to JPEG (so it is filterable)
--Now filters all file types

-Added (Freeze GIF Animations {P} [Kye-U])
--Since the Content-Type filter disables Proxomitron's built-in "Freeze GIF" feature, this filter will freeze GIF files
--Disabled by default

-Modified (Windows: Kill Suspected WMF-Exploit Files {P} [Kye-U])
--New efficient matching technique (thanks to JJoe)
--Bytes limit is 4, so CPU usage should be minimal
--Modified Alert message slightly
--Renamed to (Windows: Nullify Suspected WMF-Exploit Files {P} [Kye-U] {JJoe})
---P stands for Pending
---as Microsoft has not released an official fix, but hopefully will soon.

-Removed (Host: All File Extensions Force Filter {P} {JJoe} (out))

http://prxbx.com/forums/viewtopic.php?p=1115#1115

Download here!

MD5: BFF3CF9E78A15E06048694A175B4B720

---------------------

For those who have problems with Proxomitron after merging this set, try my standalone version.

http://prxbx.com/forums/docs/Kye-U.Brows...dalone.zip

Download, Extract to Your Proxomitron Folder, Open Proxomitron.exe, click on Load Config, select "Kye-U.Browser.Security.Pack.v4.53.Standalone.cfg".

(The difference in this one is that it has window settings and everything a normal config has)

***Kye-U*** · Jan. 03, 2006, 09:40 AM

Version 4.54 is Released!

Last Updated: January 3, 2006 - 4:40 AM EST

What's New?

Quote:[-Version 4.54-]

-Modified (Windows: Nullify Suspected WMF-Exploit Files {P} [Kye-U] {JJoe})
--Improved Matching Expression to be more specific to remove False Positives

-Modified (URL-Killer: Disable Script URL Exploits [Kye-U & Scott L.] (Out))
--Renamed to be compatible with Sidki's set
--Renamed to (!-URL-Killer: Disable Script URL Exploits [Kye-U & Scott L.] (Out)

-Modified (URL-Killer: Kill Suspicious Extensions [Kye-U] (Out))
--Restructured filter to follow format of non-standard key names
--Renamed to be compatible with Sidki's set
--Renamed to (!-URL-Killer: Kill Suspicious Extensions [Kye-U] (Out))

http://prxbx.com/forums/viewtopic.php?p=1115#1115

Download here!

MD5: 1E602D6E8BD5816E1CD9D945221F2C1E

---------------------

For those who have problems with Proxomitron after merging this set, try my standalone version.

http://prxbx.com/forums/docs/Kye-U.Brows...dalone.zip

Download, Extract to Your Proxomitron Folder, Open Proxomitron.exe, click on Load Config, select "Kye-U.Browser.Security.Pack.v4.54.Standalone.cfg".

(The difference in this one is that it has window settings and everything a normal config has)

---------------------

WMF-Exploit Filters only. You need both.

Web Page Filter:

Code:

[Patterns]

Name = "Windows: Nullify Suspected WMF-Exploit Files [Kye-U] {JJoe}"

Active = TRUE

Limit = 18

Match = "[%00-%02][%00][%09][%00][%00][%03]([%00-%FF]+{10})[%00][%00]$SET(SS=1)PrxNeverMatch"

        "|[%26][%00-%FF][%09][%00]$TST(SS=1)"

Replace = "\k$ALERT(Suspected WMF-Exploit File Nullified on:\n\n\u\n\nProbable exploit and payload has been removed from the file.\n\nThe file is now harmless.)"

Header Filter:

Quote:[HTTP headers]
In = TRUE
Out = FALSE
Key = "Content-Type: !!!Filter All File Types {P} [Kye-U] {JJoe} (In)"
URL = "$FILTER(true)"
Match = "(*|)image/gif(*|)$SET(1=image/jpeg)|\1"
Replace = "\1"

***Kye-U*** · Jan. 04, 2006, 03:37 AM

Version 4.55 is Released!

Last Updated: January 3, 2006 - 10:36 PM EST

What's New?

Quote:[-Version 4.55-]

-Modified (Content-Type: !!!Filter All File Types {P} [Kye-U] {JJoe} (In))
--Modified URL Match to not match local.ptron

-Modified (URL-Killer: Kill Suspicious Extensions [Kye-U] (Out))
--Improved compatibility

http://prxbx.com/forums/viewtopic.php?p=1115#1115

Download here!

MD5: C786223CCD8752EA70533ECDCFE0F300

---------------------

For those who have problems with Proxomitron after merging this set, try my standalone version.

http://prxbx.com/forums/docs/Kye-U.Brows...dalone.zip

Download, Extract to Your Proxomitron Folder, Open Proxomitron.exe, click on Load Config, select "Kye-U.Browser.Security.Pack.v4.55.Standalone.cfg".

(The difference in this one is that it has window settings and everything a normal config has)

---------------------

WMF-Exploit Filters only. You need both.

Web Page Filter:

Code:

[Patterns]

Name = "Windows: Nullify Suspected WMF-Exploit Files [Kye-U] {JJoe}"

Active = TRUE

Limit = 18

Match = "[%00-%02][%00][%09][%00][%00][%03]([%00-%FF]+{10})[%00][%00]$SET(SS=1)PrxNeverMatch"

        "|[%26][%00-%FF][%09][%00]$TST(SS=1)"

Replace = "\k$ALERT(Suspected WMF-Exploit File Nullified on:\n\n\u\n\nProbable exploit and payload has been removed from the file.\n\nThe file is now harmless.)"

Header Filter:

Quote:[HTTP headers]
In = TRUE
Out = FALSE
Key = "Content-Type: !!!Filter All File Types {P} [Kye-U] {JJoe} (In)"
URL = "(^local.ptron/)$FILTER(true)"
Match = "(*|)image/gif(*|)$SET(1=image/jpeg)|\1"
Replace = "\1"

***Kye-U*** · Jan. 07, 2006, 09:57 PM

Version 4.56 is Released!

Last Updated: January 7, 2006 - 4:56 PM EST

What's New?

Quote:[-Version 4.56-]

-Modified (Windows: Nullify Suspected WMF-Exploit Files {P} [Kye-U] {JJoe})
--Improved Matching Expression to match new variants

http://prxbx.com/forums/viewtopic.php?p=1115#1115

Download here!

MD5: EC93A1D1AD29AEF4DF709D9D73B7F14D

---------------------

For those who have problems with Proxomitron after merging this set, try my standalone version.

http://prxbx.com/forums/docs/Kye-U.Brows...dalone.zip

Download, Extract to Your Proxomitron Folder, Open Proxomitron.exe, click on Load Config, select "Kye-U.Browser.Security.Pack.v4.56.Standalone.cfg".

(The difference in this one is that it has window settings and everything a normal config has)

---------------------

WMF-Exploit Filters only. You need both.

Web Page Filter:

Code:

[Patterns]

Name = "Windows: Nullify Suspected WMF-Exploit Files [Kye-U] {JJoe}"

Active = TRUE

Limit = 6

Match = "[%00-%02][%00][%09][%00][%00]([%01]|[%03])$SET(SS=1)PrxNeverMatch"

        "|[%26][%00-%FF][%09][%00]$TST(SS=1)"

Replace = "\k$ALERT(Suspected WMF-Exploit File Nullified on:\n\n\u\n\nProbable exploit and payload has been removed from the file.\n\nThe file is now harmless.)"

Header Filter:

Quote:[HTTP headers]
In = TRUE
Out = FALSE
Key = "Content-Type: !!!Filter All File Types {P} [Kye-U] {JJoe} (In)"
URL = "(^local.ptron/)$FILTER(true)"
Match = "(*|)image/gif(*|)$SET(1=image/jpeg)|\1"
Replace = "\1"

jp10558 · Jan. 17, 2006, 03:58 AM

Defuse "While-Loop" Browser Bombs is breaking some forum's dropdown menus - see prox-list for discussion under :Some filter killing drop down menus at xtreme systems forums.

Now I can (and have) bypassed the security pack at those sites, but just thought you might be able to revisit the filter - whether it's needed anymore, and maybe figure a way to stop the "false positive" rather than just turning the filter off.

Siamesecat · Jan. 29, 2006, 10:20 PM

Kye-U,

I tried to download the security packs 4.49, 4.50, and 4.51, but in each case the file name indicates that it is version 4.56. Why?

***Kye-U*** · Mar. 27, 2006, 11:55 PM

Version 4.57 is Released!

Last Updated: March 27, 2006 - 6:56 PM EST

What's New?

Quote:[-Version 4.57-]

-Added (IE: Detect createTextRange() Function [Kye-U])
--Gives user option to remove function or not
http://www.securityfocus.com/bid/17196/info

-Added (IE: Script Action Handler Exploit [hpguru] {Kye-U})
http://www.securityfocus.com/bid/17131/info

-Disabled (Windows: Nullify Suspected WMF-Exploit Files {P} [Kye-U] {JJoe})
-Disabled (Content-Type: !!!Filter All File Types {P} [Kye-U] {JJoe} (In)
--Due to WMF-Exploit being patched

-Removed (Defuse "While-Loop" Browser Bombs)
--Exploit is "obsolete"

http://prxbx.com/forums/viewtopic.php?p=1115#1115

Download here!

MD5: 464F04BF0380C0CB02C278EE9B5A6086

---------------------

For those who have problems with Proxomitron after merging this set, try my standalone version.

http://prxbx.com/forums/docs/Kye-U.Brows...dalone.zip

Download, Extract to Your Proxomitron Folder, Open Proxomitron.exe, click on Load Config, select "Kye-U.Browser.Security.Pack.v4.57.Standalone.cfg".

(The difference in this one is that it has window settings and everything a normal config has)

43unite · Apr. 24, 2006, 06:48 PM

Can a filter be created & added to your pack to deal with this vulnerability?

Software: Firefox Web Browser

Tested: Linux, Windows clients' version 1.5.0.2

Result: Firefox Remote Code Execution and Denial of Service - Vendor contacted, no patch yet.

Problem: A handling issue exists in how Firefox handles certain Javascript in js320.dll and xpcom_core.dll regarding iframe.contentWindow.focus(). By manipulating this feature a buffer overflow will occur.

Proof of Concept: http://www.securident.com/vuln/ff.txt

***ProxRocks*** · Apr. 25, 2006, 12:15 AM

simply can't resist throwin' in a little chuckle... Big Teeth

those that have been around a while know why, lol...

chuckle aside, I'll read up on the vuln. tomorrow and see if a fix comes to mind...
Kye-U may see somethin' faster than I (won't likely get to it 'til tom. aft-noon)...

43unite · Apr. 25, 2006, 01:28 AM

Would this new "chuckle" be similar to your previous "chuckle" from here?
http://prxbx.com/forums/viewtopic.php?t=743

Yeah, a perfect browser would be nice!

***ProxRocks*** · Apr. 25, 2006, 12:34 PM

lol, yep, same chuckle, call it a continuation, lol...
(stems from years upon years of saying, "you're vulnerable, you just don't know it yet"... false sense of security...)

yep, but since NO browser is "perfect", we have the grand ol' Proxo to tidy up a few jagged edges...

edit: seems that the easy fix is to simply "disable all scripts by default"...
guess I'm surprised more people don't do that by default anyway...
suppose another fix would be just to axe scripts containing iframe.contentWindow.focus()...

soccerfan · Jan. 13, 2009, 04:33 PM

Kye-U,
Now that a new sidki beta is imminent,
will you also be updating your browser security pack
(or is it good to go as is)?