Hot Comments
- Gee, what a concept (5 points, Interesting) by Phrogman on Friday September 03, @07:11PM attached to Brazil Considering Legalizing File Sharing
- More on this... (5 points, Informative) by alphatel on Saturday September 04, @08:27AM attached to Texas Opens Inquiry Into Google Search Rankings
- Re:200,000 dollars (5 points, Informative) by cgenman on Saturday September 04, @03:55PM attached to Simon Singh Talks With Wired About His Libel Battle
- Geolocation is bad. (5 points, Funny) by asnelt on Saturday September 04, @05:40AM attached to Australia Adopts EU's Geographical Indicator System For Wine
- Re:10.10? (5 points, Informative) by Lawand on Saturday September 04, @11:07AM attached to Ubuntu 10.10 Beta Released
12246828
story
Comments: 279 + - Technology: Critical Flaw Found In Virtually All AV Software on Sunday May 09, @10:20AM
Posted
by
Soulskill
on Sunday May 09, @10:20AM
from the if-only-there-were-something-more-monolithic-to-blame dept.
from the if-only-there-were-something-more-monolithic-to-blame dept.
background: url(//a.fsdn.com/sd/topics/topicsecurity.gif); width:59px; height:78px;
security
background: url(//a.fsdn.com/sd/topics/topicwindows.gif); width:49px; height:65px;
windows
background: url(//a.fsdn.com/sd/topics/topicit.gif); width:75px; height:61px;
it
Securityemo writes "The Register is running an article about a new method to bypass antivirus software, discovered by Matousec. By sending benign code to the antivirus driver hooks, and switching it out for malicious code at the last moment, the antivirus can be completely bypassed. This attack is apparently much more reliable on multi-core systems. Here's the original research paper."
El Reg notes that "The technique works even when Windows is running under an account with limited privileges," but "it requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC."
Related Stories
Everyone talks about apathy, but no one ____does anything about it.
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.
AHHHHHHHH (Score:5, Funny)
Everybody turn your PCs off NOW! Why are you still reading?
Re:AHHHHHHHH (Score:5, Insightful)
Parent
Ubuntu (Score:5, Interesting)
I suppose that someday Linux will become a real target for virus writers; but between the good security model inherent ot UNIX-based OSes and common sense, I doubt I'll need one for a long time.
Parent
Re:Ubuntu (Score:4, Interesting)
Parent
Re:Ubuntu (Score:5, Interesting)
Parent
Re:Ubuntu (Score:5, Insightful)
Which is totally profitless to a virus writer. I haven't even seen a virus like that on windows for decades and windows have millions of viruses written for it.
So what if they do? Executing the sudo command is limited to the program you're sudo-ing, not your whole session. A program can't wait in the background and get root when someone types sudo.
Also you're side stepping the whole issue that most Linux distributions provide you with all the software you need so the whole running a third party executable is much less likely to happen. The only exceptions I can think of are Google Chrome and Dropbox.
I'm not saying Linux is infallible however the examples people like you list to try to pretend a Linux system is "just as bad" at security are ridiculous at best.
Parent
Re:Ubuntu (Score:4, Informative)
A program can't wait in the background and get root when someone types sudo.
When password caching is turned in (like it is by default in Ubuntu) yes, it can.
Parent
Re: (Score:3, Interesting)
Actually, it most certainly can. Exercise a little creativity.
Alias 'sudo' for a user to script in the user's home directory that looks like sudo, and even executes sudo as the user thought they were, but also logs whatever password they typed. Bamn, no you have the users password and (in the vast majority of cases) the ability to gain root. All of this is quite easy to do, I've done it myself in the past. Takes about 3 minutes
Re: (Score:3, Interesting)
That is why I always type /usr/bin/sudo instead of just sudo. And people call me paranoid...
Re:Ubuntu (Score:5, Funny)
Parent
Re:Ubuntu (Score:4, Insightful)
Das Auge made a reasonable statement - and you respond with that old stupidity. "It's all about market share". Windows NT security model is in now way, shape, or form, "superior" to *nix security model. It is true that Linux gains a bit of security through obscurity. Market share does play a role. But I've said it before, I'll say it again: Linux systems, worldwide, guard more money and data than it would take to make thousands of hackers filthy rich. If it were easy, they would have done it already, instead of fighting over that huge Windows market share.
Parent
Re: (Score:2, Insightful)
So what is it about the Windows security model that's inferior to the Linux one? Because all of the documentation I've read says otherwise (SELinux aside).
Now, if you want to talk about Windows Explorer being weak with security, I'll buy that. If you want to talk about a culture of "don't care about security", I'll buy that. But don't tell me that the NT security model is weak.
Re: (Score:2)
The Windows and Linux security models are virtually identical if you exclude MAC (SELinux etc.). The main difference is that people actually understand the basic Unix model of users and groups and so they often manage to set their file permissions to something relatively sane. Practically noone uses the full power of ACL's on either system.
MAC makes a large difference though, so it's a bit unfair to exclude it.
The way that AV products intercept system calls has been known to be broken for years. Some Linux
Re:Ubuntu (Score:5, Informative)
The Windows and Linux security models are virtually identical if you exclude MAC (SELinux etc.).
Except for NT having no concept of a superuser and Linux utterly dependent on one to implement nearly all aspects of a usable system.
Except for the finest granularity in Linux being the group and in NT the user.
Except for the utter nightmare in Linux trying to create exclusionary or complicated sets of permissions with multiple users and/or groups.
Except for the NT ACLs applying to nearly all objects in the OS, and in Linux only things represented in the filesystem.
Except for NT ACLs controlling nearly all ways to manipulate an object and in Linux being limited to read, write and execute.
"Virtually the same" my arse. NT's security model is vastly more capable than traditional UNIX's.
The main difference is that people actually understand the basic Unix model of users and groups and so they often manage to set their file permissions to something relatively sane. Practically noone uses the full power of ACL's on either system.
NT's permissions capabilities are a superset of Linux's. If someone understands the latter, then they can implement something *at least* as good on the former with the same amount of effort.
Parent
Re:Ubuntu (Score:4, Insightful)
ACL's don't make a ton of sense in the default configuration, and few people use them correctly (but luckily on Linux hardly anyone besides me uses them at all, so the problem is limited).
The "shitty" user/group/others system is understandable by regular users and they tend to use it correctly. There are cases where it isn't flexible enough. Most of those can be handled by asking the systems administrator (which tends to be the user anyway, these days) to set up an extra group, but otherwise setfacl works fine.
Parent
Re: (Score:3, Informative)
Re:Ubuntu (Score:5, Funny)
Can I call bullshit please? Y'all want to know that "magic secret" as to why even with all that money floating around Linux don't get hacked, and Windows does? Here you go...
Uuuhhhhh....I really hate to burst your reality bubble there, bud, but there is a reason why all the Linux servers aren't getting pwned and the Windows desktops are. It is because they have these things called server admins and they are usually pretty damned smart. They are also really anal retentive when it comes to anything security related. With good reason, after all they are getting paid the big bucks to be. Meet Glenn. Say hi Glenn (I'm busy, go away) not a very social creature, Glenn is a Linux server admin. He spends most of his time on security websites and learning about the latest nasty when he isn't testing a new tweak on the test server to see if he can get an extra .05% performance under load. In his free time he enjoys black hat conferences, which his employer is happy to pay him to attend.
Now we are going to meet an average Windows desktop user. Meet Velma. say hi Velma (Hi Y'all!) isn't she sweet? Little Velma works at the local insurance agency. They love her there because she can take one look at a customer and without looking up a shred of paperwork say something like this "Hi Bob! How's your oldest girl? You know she's about ready to get her learner's permit so I've already looked up the most affordable coverage for her. Does she have really good grades? She can get an extra discount if she does" and so on. Little Velma is really good at generating sales. She is sweet and friendly and always knows your name and remembers all about your family. Everybody loves little Velma.
/cue ominous music/......But we here in the PC business have a nickname for little Velma, one that she don't know about but is well earned it is....the disaster area! Dum dum dum! That is because little Velma is the trusting kind of sort, and on a computer that equals danger. Let's watch as little Velma interacts with her friendly neighborhood PC repairman, a big but lovable biker looking chap known on the net as hairyfeet.../feet/Now Velma, we have talked about this. you shouldn't mess with email attachments, I don't care who they are from. And if it is a .zip that you have to put a password to open it is a virus and you shouldn't touch it! /Velma/ But my bff Kim sent me this! See there is her name and everything! I'm sure it will be safe! /feet/Velma look, it is an executable and NOT happy puppy pictures! Do NOT run that! /Velma/ Oh, you worry too much. My bff Kim wouldn't send me anything bad. (inputs password, runs .exe, porn popups start flooding the screen while the network gets pounded) ooops. /feet/ ....... [roflposters.com]
And now you have seen an actual demonstration of why Linux is safe on servers. It is safe on servers because it is administered by guys like Glenn, say goodbye Glenn (I'm busy!) and does NOT have any Velma types mucking it up. Say goodbye Velma (Bye Y'all!). If you were to let Velma and all her friends loose on Linux if they didn't break them immediately they would become spambots in no time. It is because the malware writers have already figured out how to use a sinister concept called social engineering to target Velma and her types VERY effectively. Glenn isn't very social (Bite Me!) and is a naturally cynical creature and therefor social engineering really isn't an effective tool on his type. This is why Linux can enjoy the freedom to operate on some many servers across America without the constant malware like poor Velma gets. Tune in next week when we meet Bob, the Windows network admin, also known as the "where the hell is the damned disk?" guy.
Parent
Re:Ubuntu (Score:4, Interesting)
But, an earlier poster mentioned the fact that corporate and financial institutions have all this money to pay high powered administrators. If the administrators are working with a decent operating system, and if the administrators are competent, then Enterprise is safe, right? And, the military too, right?
How's that British thing working out now? Windows for Submarines? The last I heard, it was down. Who has more expertise in securing computers than the US or the UK departments of defense? If THEY can't secure Windows, then who can?
Parent
Re: (Score:3, Informative)
Really? seems to differ [arstechnica.com] and wasn't the only reference I could find for microsoft.com defaced [bing.com] (seventh link).
Re: (Score:3, Informative)
http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xv_04-2010.en-us.pdf [symantec.com]
Targeted attacks focus on enterprises
Targeted attacks using advanced persistent threats (APT) that occurred in 2009 made headlines in early
2010.6 Most notable of these was the Hydraq Trojan (a.k.a., Aurora).7 In January 2010, reports emerged
that dozens of large companies had been compromised by attackers using this Trojan.8 While these attacks
were not novel in approach, the
Re: (Score:3, Interesting)
...Don't you think someone would love to serve malware from, or deface microsoft.com? It hasn't been,...
Was the part I was responding to not bold enough for you? There, I fixed it for you.
Re: (Score:3, Interesting)
Remedial reading 101 at a community college near you. Take it.
I SAID that Linux systems guard more than enough money and data to make thousands of hackers rich beyond their wildest dreams. I never inferred that they guard more money and data than Windows systems guard. While the latter MIGHT be true, I don't have the data necessary to draw such a conclusion. Common sense says that it's probably NOT true.
Re:Ubuntu (Score:4, Insightful)
In what way? And is it superior in totality or just superior to the parts of the linux security model that are actually used these days?
Of course, Linux may not have as much market share, but it is a much more attractive target. One critical server running linux is worth a lot more than 1000 XP desktop machines running solitaire.
Parent
Re:Ubuntu (Score:4, Informative)
What? "Culture", better written _core_ utilities, and the open access to the base software rather than the secretive and obscure security models of NT all contribute massively to Linux security by comparison. The smaller system components are easier and safer to do well. Also, while the kernel of NT was based on VMS when David Cutler stole his old work from DEC, it was forced to integrate numerous historical poor choices of DOS, Windows 3.x, and Windows 95 to provide backwards compatibility. These have been a _disaster_ in security terms, and very difficult to address due to the closed nature of the code and difficulty of upgrading other components to preserve compatibility.
Some of the most "secure" components of NT, such as Active Directory, are actually due to its integration of far more secure open source components such as Kerberos, and its use of open standards such as DNS, DHCP, and LDAP to replace Microsoft's older versions of "NetBIOS" (which they also did not invent, it came from IBM and IBM discarded it years ago).
Parent
Re: (Score:3, Insightful)
bullshit. While it's true Windows has been victimized and targeted, there are fundamental security design flaws in NT that you won't find In UNIX.
For example ?
On UNIX, if you don't root the machine, you haven't taken it, and it's no trivial task to do remotely.
Funny you should mention root, given that a superuser is a fundamental design flaw Windows NT _doesn't_ have.
Re: (Score:2)
Joke's on them! (Score:5, Funny)
Re: (Score:2)
I don't run AV software! Ha!
Suuuuure you do, you just didn't install it. One of those nice PC bugs has probably already inoculated you against everything but itself ;-)
It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC.
So, if you're already infected then they can bypass your AV software ... hmm ...
I guess this is going to be a new attack vector for those 'fake AV' programs that download & run but can't do much harm because the user has a limited account.
Not really new (Score:5, Insightful)
These problems have been known for a while and used to defeat e.g. systrace in OpenBSD (CVE-2007-4305). It also does not affect AV software per se, but anomaly-based detection, which kicks in only if something bad is already running on your machine. If this approach is actually used in the wild, detection logic will be added for it. Business as usual, really.
Re: (Score:2, Informative)
However for compatibi
Re: (Score:2)
Re: (Score:2)
And the malware will find different ways to get around that again of course.
Isn't this simply a case of when a system is compromised, it can not reliably detect this by itself? Viruses that switch off AV, that hide from AV, that pretend to be not there - of course this can happen when a system is compromised already, and when the process you are trying to detect knows it may be detected and can defend itself against this.
The only way to reliably detect whether a system is compromised is to take the hard d
No way around strict privilege separation (Score:5, Insightful)
So it seems that relying on runtime checks doesn't just slow the system down, but also is vulnerable to concurrency attacks.
That may be alarming, but it's not like antivirus software was ever powerful enough to let users shut off their brains when using their computer.
Re:No way around strict privilege separation (Score:4, Interesting)
Also AV's main power for a long time has been on access/creation scanning. More or less it stops the viruses before they've a chance to become active. You run a virus scanner and anything coming in from the web, or a flash drive, or whatever is scanned. If a virus is detected, access is blocked. The virus can't get around that, since it isn't running. The AV stops it cold, before it has a chance to try anything.
Now that's not perfect, of course, the AV software has to have a signature for the virus, but it works pretty damn well. It is a good layer of security. Shouldn't be your only layer, but no layer should be your only layer.
This attack sounds like it is more useful against behavioural anti-virus. The AV notices a program doing shit it shouldn't and tries to stop it. Another good layer to have, but getting around it only gets you anywhere if you got the program to run in the first place.
As you say though, no matter what you just can't shut your brain off. There is no such thing as perfect security, physical or otherwise, and anyone who sells it to you is lying. Good security requires defense in depth and requires someone to be watching to make sure things are working and not getting broken through. AV software is useful, firewalls are useful, privilege separation (like UAC or sudo) is useful, but all of them still need you as a user not to be an idiot about it.
Parent
All AV software? (Score:4, Interesting)
So.. (Score:5, Insightful)
Anti virus software has become increasingly ineffective? Potentially opens up even more venues for attack! The Windows system of limiting privileges isn't always effective??!!??!!
Next you'll be telling me that fire is hot, water is wet, sci.. you know the rest
I mean this is cool and all, it's a neat discovery... but I think the whole concept of anti virus software is critically flawed and has become completely ineffective.
Um, no... (Score:2)
This attack requires that badware is already running inside the machine it's trying to attack.
If badware is already running then ... um, how exactly does this attack up the ante?
Found In Virtually All AV Software (Score:2)
They tested every obscure antivirus program out there, yet they did not test one of the most important ones -- Microsoft Security Essentials.
Seeing how obscure some of the tested AVs are, it's hard to believe their statement that "the only reason there are not more products in the following table is our time limitation."
Was MSE intentionally omitted because it is not vulnerable? Slashdot is more likely to reject such an article... It is actually very likely that MSE is not vulnerable, because Microsoft prod
Re: (Score:2)
You're right, they should have tested it. But I'd take serious issue with your contention that it's "one of the most important ones". MSE 1.0 was released on the 29th of September, 2009. So it's essentially a 7 month old product. I'd also note that it doesn't come as part of the OS, and it looks like you need to download and install the software yourself.
So given that, why do you think it's one of the most important ones?
Re: (Score:3, Informative)
MSSE is important for the following reasons:
1: it's from Microsoft, hence, the nontechies will trust it to run well (The old mentality that "detroit knows best" when it comes to cars)
2: my testing indicates that MSSE is at least as effective as the "free" AV's, and possibly equal to the best paid AV's
3: the semi-computer literate can quickly find that MSSE is far less demanding of resources than almost any other AV
and
4: it's another "free" product which appeals to millions of people - AND any Bing search w
Anagram? (Score:5, Funny)
"To use Mac"? Hey!
Follow Apple? (Score:2, Interesting)
Syscall Wrapper Exploits (Score:2)
and this is why LIVE FILESYSTEM ROMs are needed (Score:4, Insightful)
whatever platform the program is based on if you are booted to the system you are trying to clean then you have already lost ground.
of course a Posix type solution has the advantage of being mostly immune to the viruses on a Windows system.
Re:Flaw explained in plain English here (Score:4, Insightful)
All I see is an article that is applauding Apple for doing infrequent security updates for Safari, contrasted with Firefox, that does security updates with an - for that blogger - absolutely unbearable frequency and install time. Though, in objective reality, Firefox releases an update every two months or so and the update takes about a minute on any recent PC.
Also, I remember the rabid verbal attacks on Microsoft for NOT updating their browser fast and often enough. But Apple isn't perceived to leave known vulnerabilities unpatched like Microsoft did, they are seen as to spare their users from annoyances.
Their marketing dept is godlike.
Parent
Re: (Score:2)
Your evaluation of Trollaxor's article is spot on. Opening sentence tells us that his computer is left idle for "weeks at a time" - which might be a fortnight, or six months, or even a year. If he returns to his computer after weeks away from it, the system is going to offer updates anyway - be it Windows or Linux. The computing world doesn't stop just because he has his head up some mummy's ass, or whatever the hell he does at a dig. Hmmmm. Wonder what his wife or girlfreind is doing during all those
Re: (Score:2)
User downloads XYZ_INSTALLER
User runs XYZ_INSTALLER
User discovers that XYZ_INSTALLER needs better permissions to install.
Users wants XYZ (thats why the user downloaded it) so user hands XYZ_INSTALLER the keys to the kingdom.
Part of the windows problem is that nearly all installers require escalation, therefore there is
Re:Is this a joke? (Score:4, Interesting)
Aka Dancing Pig Problem [wikipedia.org].
Parent
Re:Antivirus Design Flaw (Score:5, Interesting)
Long, long, long ago, I was out of town, and my laptop got dicked. I wasn't about to pay for a new Windows disk, nor did I have time or money to have a professional fix it. I went into a computer shop, talked awhile, and came out with an OnTrack SystemSuite disk, for which I paid about 15 bucks. Booted to it, ran the AV utility, and found nothing. Ran the rest of the utilities, and found that an improper shutdown had corrupted my MBR. Fixed the MBR, and booted up. Money well spent.
And, yes, you are right. That is precisely what the rest of the AV industry needs to peddle. If you can't boot to a clean environment, you're just screwed, whether it be virus problems, or any number of other problems.
Parent
Re: (Score:3, Interesting)
That is precisely what the rest of the AV industry needs to peddle. If you can't boot to a clean environment, you're just screwed, whether it be virus problems, or any number of other problems.
I actually wonder why more don't do this. Back when I ran a brand-new copy of Windows 98, my copy of McAfee (I was young and didn't know any better!) came with a boot floppy for just that purpose. Surely with Windows PE the whole process would be trivial - boot to the PE, download the most recent AV signatures, an