NEWS FROM THE LAB - Wednesday, December 17, 2008

Exploit Shield - F-Secure's Solution to Zero-Day Exploits Posted by Response @ 10:45 GMT

Our previous post highlighted a recently disclosed vulnerability which exists in Microsoft Internet Explorer… and that there are currently websites hosting exploits targeting the vulnerability. Today our Vulnerability Response team would like to offer you our Security Labs' solution, which is now publicly available for download.

We call it Exploit Shield.

Exploit Shield protects against exploits both responsively and proactively. It has both shields and generic heuristics that monitor for and block suspected malicious activity. It logs attack attempts; and will also report suspicious URLs to our Real-time Protection Network1. New shields are delivered via our automatic update channel servers.

Exploit Shield Technology Preview

Vulnerability Shields offer "Patch-equivalent protection". Our Vulnerability Analysts, primarily based in Kuala Lumpur, publish vulnerability advisories and detections (used by our Health Check2 service). The Vulnerability team then uses the analysis to create exploit shields. The shields utilize either a hotpatch or else will disable the vulnerable ActiveX plugin.

Exploit Shield Technology Preview

This is what shield details look like:

Exploit Shield Beta, CVE-2008-3008

The Proactive Measures currently block suspected malicious activity in Internet Explorer and Mozilla Firefox. This component of the beta monitors for heuristic behavioral techniques common to many types of exploits. We've tested the proactive component against a couple of malicious sites targeting the vulnerability, and the attacks have been successfully blocked.

Exploit Shield Technology Preview

As noted above, Exploit Shield has the option to report malicious websites that are blocked.

Exploit Shield Technology Preview

What do we do with the reported URL? The Response Lab will use it to respond faster. We have "HoneyMonkey" like systems to collect the exploit samples. Thus we'll have a greater ability to collection exploits and add signature detections to protect all of our customers. Exploit Shield users will help contribute to everyone's protection while remaining protected.

You can download a wmv video by Patrik demonstrating Exploit Shield in action.

Exploit Shield wmv

You will find the download link for the beta on our Labs site.

Download Exploit Shield

Our Vulnerability Response team has been working very hard during the last few days to make this beta release ready at this time. Remember, it's still in beta, and you can help them by testing and by providing feedback. A big thank you is due to all those involved.

Footnote1 The current version of our DeepGuard Technology utilizes cloud-based networking lookups to our Real-time Protection Network. We'll cover that in a future weblog post.

Footnote2 Try Health Check. It's free and assists in updating and patching third-party applications.