Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 6 subscribers
  • Views 9494 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows Shortcut Exploit Protection Tool

Stardance

On the page which has the same title as the subject of this message (http://www.sophos.com/products/free-tools/sophos-windows-shortcut-exploit-protection-tool.html), the first paragraph ends with:

".... Our free, easy-to-use tool blocks this exploit from running on your computer."

From reading other posts on this subject, it is clear that this unqualified claim is quite misleading, even deceiving.  It does not say that the tool only "blocks this exploit" in very limited circumstances.

Apparently, by no means should we rely on the Sophos tool, and use MicrosoftFixit50487.msi to reverse the effects of using MicrosoftFixit50486.msi after installing it -- although, no representative of Sophos has advised us to do that.  (They do seem to believe that their security software will protect their customers without using the Microsoft FixIt.)

The third paragraph ends with:

".... Our tool will notify you if you happen to browse to an exploited link and it will block the exploit from running."

The meaning of this claim is simply not clear.  How does anyone "browse to an exploited link"?  The word "link" in the context of using a browser to fetch pages from web sites, by using an HTML hyperlink, is considerably different from the context of using a Windows shortcut, which is a file on the user's computer system, to launch an executable.  Like the first claim, this one is unequivocal but questionable, considering what has been revealed in the other posts on this subject.

If I cannot trust that Sophos is telling me everything that I really do need to know, then how can I  trust the "tool" or any other Sophos software?

:4312


This thread was automatically locked due to age.
Parents
  • 0

    Hi Stardance,

    The tool covers cases where the .LNK and the target DLL are both on remote locations, I made this choice for the first release to reduce the number of false positives and deliver usable protection quickly. We have been working on a second version which would provide more protection while keeping the false positives low, but with Microsoft announcement on a patch we are going to recommend people to patch which is the best option.

    The comment about browsing references instances where the exploit is embedded in a website, which is another way exploit can be used.

    We have been putting a lot of time into answering questions on the forum, blogs and our support line to make sure people have all the information they need.

    Let me know if you spot any other confusing statement and I will be glad to clarify them,

    Shai Gelbaum

    Product Manager

    :4341
Reply
  • 0

    Hi Stardance,

    The tool covers cases where the .LNK and the target DLL are both on remote locations, I made this choice for the first release to reduce the number of false positives and deliver usable protection quickly. We have been working on a second version which would provide more protection while keeping the false positives low, but with Microsoft announcement on a patch we are going to recommend people to patch which is the best option.

    The comment about browsing references instances where the exploit is embedded in a website, which is another way exploit can be used.

    We have been putting a lot of time into answering questions on the forum, blogs and our support line to make sure people have all the information they need.

    Let me know if you spot any other confusing statement and I will be glad to clarify them,

    Shai Gelbaum

    Product Manager

    :4341
Children
No Data