Monday, July 13, 2009

The fox in the henhouse?

2532618591_85f4393493_b Some time back I ranted about ParetoLogic which was used to be known as the makers of a rogue security product (XoftSpy). Today I can rant once again about them:

They’ve published a blogpost insinuating that Firefox 3.5 has a remote code execution vulnerability. I’ve tried to inquire if they notified Mozilla about the issue, but after 4 days (!!!) my comment still awaits moderation or it has been directly deleted.

So I decided to look a little more into the problem (from the safety of a VM) and arrived to the same conclusion as the F-Secure people: this is not a FF issue, rather a Flash / other third-party software issue. The given pages seem to contain a link to an “attack kit” which tries to detect the browser version / available plugins, after which it tries to send down a targeted exploit.

What I would have liked from ParetoLogic:

  • Research the issue in more detail (a remotely exploitable bug in the up-to-date version of a popular browser is not an issue which should be taken lightly)
  • It is ok to make mistakes, but one should stand up to their mistakes and admit that s/he was wrong (update the original post)
  • Don’t moderate user comments into oblivion (why do you have the “Comments” link then?)

Currently, my opinion still stands: they are a “grey-zone” company and you should avoid their products.

Picture taken from mikebaird's photostream with permission.

9 comments:

  1. Too late for me, cdman! I bought (yes, I know, stupid me!) Regcure when I was having serious pc problems. The actual product helped, but along with it came a hidden programme.

    On a regular basis a Paretologic anti-spyware programme which I hadn't knowingly downloaded would scan my pc and then tell me I needed to buy the product immediately as my pc was swarming with malware and spyware! This was a complete lie as I use anti-spyware software weekly on my pc.

    I got so fed up I removed the Regcure and the Paretologic along with it, unfortunately there is still something there, because now I regularly get an error message saying that Paretologic tried to open but couldn't.

    I wish I'd never heard of them!

    ReplyDelete
  2. @Evie: I'm sorry to hear that. Probably your best option is to back up all your data and reinstall the operating system (if you an unsure on how to do it, you should get somebody versed in IT to do it, since dataloss can be very frustrating).

    Two free AV products which I can recommend are AVG and Avast. Microsoft is also coming out with a product which should be quite good (Microsoft Security Essentials), but it is in beta currently.

    ReplyDelete
  3. Thanks, but I think I'll stick with the error message for the time being. I'm thinking about getting a new laptop fairly soon anyway and I have a desktop if I get really fed up with it.

    Oh, and thanks for the AV recs. I've used Panda for about three years now and have been happy with it. I also use Ad-Aware for the spyware. :)

    ReplyDelete
  4. Jerome7:28 PM

    Hi there,

    I am the author of MalwareDiaries. Your post was forwared to me by someone in my company.

    Let me clarify a few things:

    - The comments section in our blog sucks! Why is it there, I'm not sure?? You have to register and everything and then it gets sent not to me, and probably gets lost! lol
    Anyway, I welcome all comments, so the best is to use the email address, right below my picture.
    As a matter of fact, someone did contact me the other day about the new Mac trojan. I edited my post to be fair very soon after.

    - The Firefox issue: well it is definitely an oversight on my part. I will take note and modify the original blog post.
    However, F-Secure makes a better judgment on this than you do. They remind users that having the latest browser does not mean you are safe. You need to check for updates to all the add-ons for your browser as well.
    When I did the test, I downloaded FF 3.5 and never thought about checking the out of date plugins. Mea culpa.

    Finally, I'd like to say that I try to do the best work that I can. I enjoy blogging and finding out new threats. I have made mistakes, but I also have learned from them and hopefully will not repeat them!! lol
    And to the fair, who has never been wrong about something?
    Also, my intent is never bad. Like I say the Firefox thing was an oversight.

    I invite you to contact me directly via email and we can have a chat about some of your concerns. Soem of your accusations are quite harsh, and normally I would not even care to answer and start a war of words. But this is about my blog which I care about :-)

    Jerome Segura

    ReplyDelete
  5. I've written many comments about corrections in the Blog. They were never posted and the blog have still many analyse noobs errors..

    ReplyDelete
  6. Jerome1:56 AM

    Merci S!Ri pour le compliment d'etre un noob ;-)

    I will try to resolve the comments section, either remove them or find a way to actually have them sent to me.

    ReplyDelete
  7. No problem :)
    Posting and posting again for corrections and being censored is a bit disappointing.
    Is the censorship problem solved ? So we can speak on your forum.

    You recently post about new DNS.Changer hosts you found. Well, there's 1 or 2 every day, pointing to the same IP. ;)
    You also post about an Italian new malware. Well, it's still DNS.Changer, it's not new and it is not Italian. The email/address used for registration are fake. The site is not Hosted in Italy but in Netherlands.
    You also wrote about new Fake Alert Trojan. Well it's not new, watch this: http://siri-urz.blogspot.com/2009/07/trojan-downloaderwin32fraudload_11.html

    ReplyDelete
  8. Jerome7:25 PM

    I agree with you, you should be able to post.
    There is no censorship. Just a poorly configured WordPress plugin that I'm trying to fix.
    In the meantime, I gave an email address for people to be able to get in touch with me (which they have).

    For the other comments you made, you are right and I appreciate the feedback. I obviously need to do more thorough research before I blog about something.
    I guess having the comments working on the blog would really help then, wouldn't it?

    I will take all this criticism and hopefully provide a better and more accurate content on the blog.

    Merci.

    ReplyDelete
  9. Jerome11:24 PM

    S!Ri
    Your comments are being posted as the new moderator in charge is finding them.
    They were never censored, simply that they were not being looked at. They can't be posted until they have been verified for spam, which is being done now.
    See, I'm not a bad guy after all, am I?

    http://forums.paretologic.com/showthread.php?t=9390

    vivalatube.com is hosted at WORLDSTREAM (Holland).
    Do not trust DNS registration Name/eMail/Country, they are fake.
    - Sometimes usefull because used many times to register
    - Sometimes taken from stolen payment cards
    ...

    I have collected many of those DNS.Changer DNS. Email registration are changing constantly

    ReplyDelete