Link: http://www.gentlesecurity.com/download.html
GeSWall 2.5.1 is a minor update that fixes several issues, including:
- Integrity enforcement fix for the certain file operations which could truncate an existing file to zero size. Special thanks to Moonforest for reporting this issue.
- McAfee SiteAdvisor compatibility fix, details ».
- Identification by name is enabled for applications that have similar version info identity, details ».
Posted in Announces
An application database update is issued for these applications:
- Internet Explorer (web browsers), the fix for Java Runtime Environment JRE from sun.com
- Geminisoft Pimmy (e-mail clients), application rules fix
- Windows Live Messenger (Messengers)
The updates received automatically or on demand in GesWalls tray icon menu.
Posted in Supported Applications
There is a known trick to bypass DropMyRights - using a network share on loop-back interface, e.g:
ren \\localhost\c$\windows\system32\malware.exe cmd.exe
That is limitation of remote impersonation. DropMyRights creates a restricted token which cannot be impersonated on remote server. Process tokens content is irrelevant and a user logon session is used to create impersonated token on remote machine. Normally a process with restricted token cannot access network shares, but it is still possible for some types of restricted tokens as shown by DropMyRights example. Additionally, there are other weaknesses of Windows Access Control and impersonation model, which we noted in the article and advisory.
GeSWall is not vulnerable to the trick, as an isolated application cannot access network shares by default. GeSWall denies it by restricting access to corresponding named pipes:
iexplore.exe READONLY access to \\127.0.0.1\IPC$\srvsvc (File)
iexplore.exe READONLY access to \Device\NamedPipe\wkssvc (File)
An access can be granted by additional application rules for these resources:
\Device\NamedPipe\wkssvc
\\ServerName\
Note Windows Vista has the same limitation for restricted tokens as well. However DropMyRights is superseded there by integrity levels. Integrity levels had similar loop-back interface vulnerability in the betas of Windows Vista. The vulnerability allowed privilege elevation from low integrity level (protected mode). Actually this particular issue with integrity levels is fixed but still there are weak points which could lead to privilege elevation, e.g: protected mode’s MIC brokers, virtualized files shared among all processes, etc. We’ll post more info on this.
Posted in GeSWall's Security Tests
An update for new pre-configured applications is issued for GeSWall 2.5
Multimedia:
- Windows Media Player 11
- Media Player Classic
Mail Clients:
- Pop Peeper
- Pimmy
Note, the updates received automatically or can be triggered on demand in GesWall’s tray icon menu.
Posted in Supported Applications
Keyhook is a demo keylogger. This demo uses for the global keyboard hook to intercept key strokes with keyhook.dll.
GeSWall prevents interception of key strokes in other processes. The interception prevented by disabling global hook and loading untrusted dll.
Posted in GeSWall's Security Tests, Key Loggers
XML Feeds