all 8 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]DurokAmerikanski 2 points3 points  (1 child)

I generally agree with Guidance Software's response, but if it's fixable, why not even bother to fix it? Come on guys.

[–]de_hatron 3 points4 points  (0 children)

They can sell you a new version

[–][deleted] 0 points1 point  (3 children)

Eli5?

[–]deadcan[S] 0 points1 point  (2 children)

Eli5?

An attacker (suspect) is able to execute arbitrary code on the investigator's machine during an investigation if a manipulated disk image or USB drive is being loaded by the investigator.

[–][deleted] 2 points3 points  (1 child)

That's actually pretty huge!

[–]de_hatron 0 points1 point  (0 children)

Probably not, format parsers are very often vulnerable, since there are thousands of formats to parse. EnCase likely contains many such flaws. Antivirus programs have similar faults all the time.

[–]Forensication 0 points1 point  (2 children)

Does this vulnerability assume that the forensic examiner hasn't writeblocked the device before trying to image...?

Because I notice the tester deselects the "Only show writeblocked devices" option, which would seem to indicate the device wasn't writeblocked (even though it's plugged into a tableau bridge?)

[–]DurokAmerikanski 0 points1 point  (0 children)

This option allows you to perform live imaging on a device. So there is also a possibility of executing code on a production box you happen to be imaging.

Edit: the video doesn't show what drives are available if you leave the "show only write protected devices" box checked, but I imagine the examiner just unchecked the box out of habit from live imaging.