Critical Flaw Found In Virtually All AV Software

Securityemo writes "The Register is running an article about a new method to bypass antivirus software, discovered by Matousec. By sending benign code to the antivirus driver hooks, and switching it out for malicious code at the last moment, the antivirus can be completely bypassed. This attack is apparently much more reliable on multi-core systems. Here's the original research paper." El Reg notes that "The technique works even when Windows is running under an account with limited privileges," but "it requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC."

AHHHHHHHH

[Anonymous Coward]

Everybody turn your PCs off NOW! Why are you still reading?

Re:AHHHHHHHH

[armanox]

Still reading because I'm running Linux?

Ubuntu

[Das Auge]

Since switching to Ubuntu, over three years ago, I haven't used AV.

I suppose that someday Linux will become a real target for virus writers; but between the good security model inherent ot UNIX-based OSes and common sense, I doubt I'll need one for a long time.

Re:Ubuntu

[siride]

The Windows NT security model is actually more advanced and capable than the base Unix security model. It's only because of culture, better-written 3rd party programs and marketshare that Linux/Unix doesn't have a malware problem.

Re:Ubuntu

[Architect_sasyr]

I'd like to just step in here and point out that the security model means shit to a virus writer - so what I can't get root on your desktop, I can still encrypt your entire home directory and delete everything I have access to with just a simple program. The whole push for administration rights is only necessary when you need to hide the software, but if all these linux users aren't running AV, then what's the point of trying to hide yourself before you can get your root privileges. Someone, somewhere, will run a sudo command eventually...

Re:Ubuntu

[Anonymous Coward]

I can still encrypt your entire home directory and delete everything I have access to with just a simple program

Which is totally profitless to a virus writer. I haven't even seen a virus like that on windows for decades and windows have millions of viruses written for it.

Someone, somewhere, will run a sudo command eventually..

So what if they do? Executing the sudo command is limited to the program you're sudo-ing, not your whole session. A program can't wait in the background and get root when someone types sudo.

Also you're side stepping the whole issue that most Linux distributions provide you with all the software you need so the whole running a third party executable is much less likely to happen. The only exceptions I can think of are Google Chrome and Dropbox.

I'm not saying Linux is infallible however the examples people like you list to try to pretend a Linux system is "just as bad" at security are ridiculous at best.

Re:

[Dr_Barnowl]

Some viruses are "ransom-ware" - they encrypt your files and send the key to the virus author. Then they demand money to get the key to unencrypt your files.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Sir_Lewk]

A program can't wait in the background and get root when someone types sudo.

Actually, it most certainly can. Exercise a little creativity.

Alias 'sudo' for a user to script in the user's home directory that looks like sudo, and even executes sudo as the user thought they were, but also logs whatever password they typed. Bamn, no you have the users password and (in the vast majority of cases) the ability to gain root. All of this is quite easy to do, I've done it myself in the past. Takes about 3 minutes

Re:

[wumpus188]

That is why I always type /usr/bin/sudo instead of just sudo. And people call me paranoid...

Re:Ubuntu

[517714]

Nobody calls you paranoid, you just think they do.

Re:

[asdfghjklqwertyuiop]

A program can't wait in the background and get root when someone types sudo.

Yes it can [deter.com].

Re:Ubuntu

[Runaway1956]

Das Auge made a reasonable statement - and you respond with that old stupidity. "It's all about market share". Windows NT security model is in now way, shape, or form, "superior" to *nix security model. It is true that Linux gains a bit of security through obscurity. Market share does play a role. But I've said it before, I'll say it again: Linux systems, worldwide, guard more money and data than it would take to make thousands of hackers filthy rich. If it were easy, they would have done it already, instead of fighting over that huge Windows market share.

Re:

[siride]

So what is it about the Windows security model that's inferior to the Linux one? Because all of the documentation I've read says otherwise (SELinux aside).

Now, if you want to talk about Windows Explorer being weak with security, I'll buy that. If you want to talk about a culture of "don't care about security", I'll buy that. But don't tell me that the NT security model is weak.

Re:

[amorsen]

The Windows and Linux security models are virtually identical if you exclude MAC (SELinux etc.). The main difference is that people actually understand the basic Unix model of users and groups and so they often manage to set their file permissions to something relatively sane. Practically noone uses the full power of ACL's on either system.

MAC makes a large difference though, so it's a bit unfair to exclude it.

The way that AV products intercept system calls has been known to be broken for years. Some Linux

Re:Ubuntu

[drsmithy]

The Windows and Linux security models are virtually identical if you exclude MAC (SELinux etc.).

Except for NT having no concept of a superuser and Linux utterly dependent on one to implement nearly all aspects of a usable system.
Except for the finest granularity in Linux being the group and in NT the user.
Except for the utter nightmare in Linux trying to create exclusionary or complicated sets of permissions with multiple users and/or groups.
Except for the NT ACLs applying to nearly all objects in the OS, and in Linux only things represented in the filesystem.
Except for NT ACLs controlling nearly all ways to manipulate an object and in Linux being limited to read, write and execute.

"Virtually the same" my arse. NT's security model is vastly more capable than traditional UNIX's.

The main difference is that people actually understand the basic Unix model of users and groups and so they often manage to set their file permissions to something relatively sane. Practically noone uses the full power of ACL's on either system.

NT's permissions capabilities are a superset of Linux's. If someone understands the latter, then they can implement something *at least* as good on the former with the same amount of effort.

Re:

[amorsen]

So basically you agree that the NT security model is more powerful. Good.

Like I said, they are identical if you exclude MAC. They're both simple ACL file-based DAC systems. Since they're identical the NT security model isn't more powerful.

Once you include MAC, Linux is in a different league.

Re:Ubuntu

[amorsen]

ACL's don't make a ton of sense in the default configuration, and few people use them correctly (but luckily on Linux hardly anyone besides me uses them at all, so the problem is limited).

The "shitty" user/group/others system is understandable by regular users and they tend to use it correctly. There are cases where it isn't flexible enough. Most of those can be handled by asking the systems administrator (which tends to be the user anyway, these days) to set up an extra group, but otherwise setfacl works fine.

Re:

[sjames]

To be fair, they mostly closed off the shatter attack (after 8 years), we think. So it's not mostly down to implementation issues and having the interlocking parts much too tightly connected such that it's easy to accidentally create new holes. Beyond that, it's a matter of the culture MS has created and nurtured for years of software that expects to run with admin privileges even though it never should and users trained to just click OK on the incomprehensible dialog box that doesn't contain any useful inf

Re:

[Xtifr]

So what is it about the Windows security model that's inferior to the Linux one?

Well, most notably, the fact that execute permission is implicit in a filename, rather than being a separate attribute that must be manually set.

Re:

[siride]

No, that's a shell feature. KDE and GNOME have had the same flaw. You name something .desktop and it will be executed/interpreted by the KDE/GNOME shell. The NT kernel uses the same mechanism as Unix for permissions.

Re:

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Ubuntu

[Runaway1956]

But, an earlier poster mentioned the fact that corporate and financial institutions have all this money to pay high powered administrators. If the administrators are working with a decent operating system, and if the administrators are competent, then Enterprise is safe, right? And, the military too, right?

How's that British thing working out now? Windows for Submarines? The last I heard, it was down. Who has more expertise in securing computers than the US or the UK departments of defense? If THEY can't secure Windows, then who can?

Re:

[Anonymous Coward]

And if Velma's desktop were set up properly, with her having a non-administrative account and the home partition mounted non-executable? Oh right, she wouldn't be able to run the malware.

Re:

[Nick Ives]

How is Unix UID/GID equal to Windows ACLs? I'm genuinely curious, as looking at the permissions tab in Windows it looks like it's possible to have more fine grained permissions in Windows than in Unix. I thought SELinux was aimed at replicating that functionality and going a bit further!

Re:

[Runaway1956]

One of the earlier posters has already admitted that ACL's are nearly equal between Linux and Windows, if administered with similar expertise - in the very same post in which he asked everyone to ignore SEL. You judge. Security Enhanced Linux is simply not available on Windows, to the best of my knowledge.

But, even restricting ourselves to ACL's - default Linux installations beat default Windows installations all to hell and back on workstation installations, and server installations are nearly equal for

Re:

[__aasqbs9791]

Really? seems to differ [arstechnica.com] and wasn't the only reference I could find for microsoft.com defaced [bing.com] (seventh link).

Re:

[Runaway1956]

http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xv_04-2010.en-us.pdf [symantec.com]
Targeted attacks focus on enterprises
Targeted attacks using advanced persistent threats (APT) that occurred in 2009 made headlines in early
2010.6 Most notable of these was the Hydraq Trojan (a.k.a., Aurora).7 In January 2010, reports emerged
that dozens of large companies had been compromised by attackers using this Trojan.8 While these attacks
were not novel in approach, the

Re:

[__aasqbs9791]

...Don't you think someone would love to serve malware from, or deface microsoft.com? It hasn't been,...

Was the part I was responding to not bold enough for you? There, I fixed it for you.

Re:

[Runaway1956]

Remedial reading 101 at a community college near you. Take it.

I SAID that Linux systems guard more than enough money and data to make thousands of hackers rich beyond their wildest dreams. I never inferred that they guard more money and data than Windows systems guard. While the latter MIGHT be true, I don't have the data necessary to draw such a conclusion. Common sense says that it's probably NOT true.

Re:Ubuntu

[sjames]

In what way? And is it superior in totality or just superior to the parts of the linux security model that are actually used these days?

Of course, Linux may not have as much market share, but it is a much more attractive target. One critical server running linux is worth a lot more than 1000 XP desktop machines running solitaire.

Re:

[Opportunist]

Depends on your goal. If you want spam sluggers or if you want to collect access credentials to, say, online banking, paypal, Amazon or EBay, I'd go for the 1000 XP desktops.

Re:

[Arthur Grumbine]

One critical server running linux is worth a lot more than 1000 XP desktop machines running solitaire.

And what's in Fort Knox is worth a lot more than what's in 1000 local banks. Yet nationwide robbers persist in the lower value targets... I wonder if it might have anything to do with the people defending the wealth.

Re:

[sjames]

You're arguing MY point now. They hit the lower value XP targets because they can crack those!

Re:

[Arthur Grumbine]

Actually, my point was about the people behind the defense - Fort Knox is defended by trained and armed soldiers, banks by unarmed rent-a-cops. A critical Linux server is defended by a paranoid and capable admin, a desktop PC by McAfee/Norton and a clueless user.

Re:

[sjames]

I can buy that unskilled people being granted admin access could be the problem, but that's not a function of market share.

However, then we have to look at how possible it is for an ordinary user to get through their day without administrative privilege.

Re:

[Miseph]

"I can buy that unskilled people being granted admin access could be the problem, but that's not a function of market share."

lolwut?

Do you mean to imply that the market share of "people who are not trained sysadmins" is even remotely comparable to the market share of "trained sysadmins"?

Increasing Linux market share would necessarily mean that less qualified and unskilled people would be running it. Linux will be hit double by increasing popularity, first because it will be more appealing as a target, secon

Re:

[sjames]

I mean the problem has distinct mechanisms. The market share model claims that more attackers target windows simply because it's more common and that it's exploited more simply because it's targeted more.

I maintain that (in part) it's more targeted because it's unskilled admins make it an easier target. There is a difference.

Most importantly, the former suggests there is nothing to be done about it while the latter suggests that making things simple enough for unqualified people to sort of do it (badly) rat

Re:

[Mr2001]

Compare this to windows where most of software installs are done by clicking a setup.exe file. Yes there is the .msi windows installer available, but not everyone uses that.

Actually, third party frameworks like InstallShield and WISE are now based on Windows Installer, so most of those setup.exe files go through the same API.

Re:

[sjames]

Infect a linux web server and you can then infect 10,000 XP machines that visit the website.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[sjames]

Cnn.com would be a pretty nice target for a bad guy, they get a hit or two :-) Youtube would be a rather nice trophy as well. Think of all the poorly configured machines that visit that!

Re:Ubuntu

[Antique Geekmeister]

What? "Culture", better written _core_ utilities, and the open access to the base software rather than the secretive and obscure security models of NT all contribute massively to Linux security by comparison. The smaller system components are easier and safer to do well. Also, while the kernel of NT was based on VMS when David Cutler stole his old work from DEC, it was forced to integrate numerous historical poor choices of DOS, Windows 3.x, and Windows 95 to provide backwards compatibility. These have been a _disaster_ in security terms, and very difficult to address due to the closed nature of the code and difficulty of upgrading other components to preserve compatibility.

Some of the most "secure" components of NT, such as Active Directory, are actually due to its integration of far more secure open source components such as Kerberos, and its use of open standards such as DNS, DHCP, and LDAP to replace Microsoft's older versions of "NetBIOS" (which they also did not invent, it came from IBM and IBM discarded it years ago).

Re:

[ibsteve2u]

Also, while the kernel of NT was based on VMS when David Cutler stole his old work from DEC...

A nice example of what the patent and copyright systems do to progress...DEC dropped Mica, and Cutler resurrected the concept to the later benefit of tens of millions of consumers...but at Microsoft. Although I believe that DEC erred in dropping it, they (or at least the people I knew from DEC in the '80s and '90s) still didn't deserve the fate of being consumed by...shudder...Compaq.

There are those who argue that the security issues that have plagued Windows arise from the Intel architecture (which is cha

Re:

[miknix]

The Windows NT security model is actually more advanced and capable than the base Unix security model. It's only because of culture, better-written 3rd party programs and marketshare that Linux/Unix doesn't have a malware problem.

Don't forget that Linux has some "extra" patches to complement the UNIX security model. For example, GRSecurity and SELinux.
I suggest reading what is SELinux so you are able reformulate such claim. In fact, SELinux comes active by default on many desktop GNU/Linux distributions.

I believe Microsoft doesn't have anything close to a *formally-verified kernel* that enforces Mandatory Access Control. SELinux not only provides more and "deeper" MAC policies but its formal validation guarantees the correctness of

Re:

[miknix]

I would like to add that such SELinux policies are handled automatically by the package manager. For instance, if you install apache the corresponding policies are also installed. This tells the MAC kernel what apache CAN do (file access, memory, more than you can imagine), everything else is denied. If apache is hacked, the attacker can do little or nothing outside the scope of apache.

As you can see this ends up being (almost) transparent for the end user, in contrast to the Windows Policy Manager or the i

Re:

[siride]

Notice how I said "base Unix security model". In another post, I did actually mention SELinux. It is quite powerful, albeit a bit unruly for a regular user to administer. Thankfully, distros have done a good job with creating working default policies.

Re:

[miknix]

Notice how I said "base Unix security model".

My bad. My post is still valid though, for the distracted crows.

In another post, I did actually mention SELinux. It is quite powerful, albeit a bit unruly for a regular user to administer. Thankfully, distros have done a good job with creating working default policies.

Indeed, like I said in the two previous posts.
And like everywhere else, uneducated users will just turn off SELinux if it starts messing with their runtime.

- -
We always end up concluding that the best security framework can't protect users from their own stupidity.

Re:

[drsmithy]

bullshit. While it's true Windows has been victimized and targeted, there are fundamental security design flaws in NT that you won't find In UNIX.

For example ?

On UNIX, if you don't root the machine, you haven't taken it, and it's no trivial task to do remotely.

Funny you should mention root, given that a superuser is a fundamental design flaw Windows NT _doesn't_ have.

I Hate Windows

[hduff]

I normally use Mandriva, but the P/S (ShuttleX) died and I'm awaiting a replacement.

In the meantime, without another PC, I've been using my WinXP/VooDoo video box that I use for older 3Dfx games. It's all updated and I use Firefox, etc.

Within 24 hours of using it, it became infected and my email account got hacked. I've changed all my passwords, but damn GMail still locked down my mail account and my blog and won't tell me why. Any advice on that?

I hate Windows.

Re:

[armanox]

I never said that I do not run AV on Windows or Linux. I run it on both. I have not rebuild either my Windows install or my Linux install since I purchased my current desktop in 2008 (but have upgraded from Fedora 7 -> 12 and Vista -> 7). In that time, I have failed to see any infections on either install. My previous desktop was a similar situation. The last wipe-reload was an upgrade to XP Pro in 2006, at which point I switched to Gentoo out of convenience.

Re:

[Zaiff Urgulbunger]

Having used Linux for a couple years now, I know that rebuilding your Linux machine is a monthly occurrence up until a year or so ago , and now it's every few months.

(My emphasis)

Erm.... you sure about that?!! There's a number of things Linux could be criticised for, but the need to rebuild really isn't one of them.

Re:

[makomk]

I think some early Linux security frameworks had a similar issue with swapping out parameters of system calls. The key word there is "had" - pretty much everyone knows not to write code that's vulnerable to this attack now, and even if they don't it's unlikely to be allowed into the kernel.

Re:

[armanox]

Seeing how the I don't play many games anymore, it allows me to run Linux most of the time. For most of the games I play (Starcraft, Diablo, Thief), WINE handles them excellently.

Aside from two games that I do need Windows for (both are on Steam, and WINE doesn't perform well enough like you said), I have any programs that I use that do not have Linux versions or equivalents.

As an aside, I am happy for you that your bicycle works well. Since work is 40 miles from home, my Blazer and Saturn get suffi

Re:

[Securityemo]

We run Linux/*nix.

Joke's on them!

[Abstrackt]

I don't run AV software! Ha!

Re:

[WrongSizeGlass]

I don't run AV software! Ha!

Suuuuure you do, you just didn't install it. One of those nice PC bugs has probably already inoculated you against everything but itself ;-)

It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC.

So, if you're already infected then they can bypass your AV software ... hmm ...

I guess this is going to be a new attack vector for those 'fake AV' programs that download & run but can't do much harm because the user has a limited account.

Re:

[Graff]

I'd say the real critical flaw of antivirus software is that it costs money, steals system resources, and has no productive use. Wait a second - maybe antivirus software is just a virus that you KNOW about!

And yeah, I don't run any antivirus software either. I haven't run any for well over 20 years and I have yet to have any problems. Good security practices and an operating system that doesn't have much malware in the first place means that I've saved a lot of cash and time over the years.

Not really new

[Florian Weimer]

These problems have been known for a while and used to defeat e.g. systrace in OpenBSD (CVE-2007-4305). It also does not affect AV software per se, but anomaly-based detection, which kicks in only if something bad is already running on your machine. If this approach is actually used in the wild, detection logic will be added for it. Business as usual, really.

Re:

[Christophe Devine]

Yep. Furthermore this requires not just admin privileges, but also being able to load a kernel module which has been severely restricted under 64-bit Windows (the driver's catalog has to be signed by Microsoft). Still, many people use Windows XP with an admin account, but the flaw itself does not lie with the AV themselves -- a few of them will even warn when a program attemps to load a unsigned kernel driver. KAV also warns when running an unsigned program from outside Program Files.

However for compatibi

Re:

[Christophe Devine]

Hmm obviously I read the article too quickly, this attack does not depend on loading a kernel driver. My bad ;)

Re:

[andymadigan]

Running Windows 7 64-bit here, unless I missed something VirtualBox's drivers are not signed, that's why I had to click OK when they were installing. I thought they got rid of the signing requirement for Win7 64.

Re:

[wvmarle]

And the malware will find different ways to get around that again of course.

Isn't this simply a case of when a system is compromised, it can not reliably detect this by itself? Viruses that switch off AV, that hide from AV, that pretend to be not there - of course this can happen when a system is compromised already, and when the process you are trying to detect knows it may be detected and can defend itself against this.

The only way to reliably detect whether a system is compromised is to take the hard d

Re:

[riskpundit]

While this is surely interesting research, there are far simpler ways of bypassing AV software. Drive-by browser-based attacks of the type exemplified by Zeus and Koobface are far easier to execute. Today, attackers are focused on stealing money and intellectual property. They will take the path of least resistance. The AV vendors have yet to respond to the more obvious existential threat to their existence.

No way around strict privilege separation

[Arancaytar]

So it seems that relying on runtime checks doesn't just slow the system down, but also is vulnerable to concurrency attacks.

That may be alarming, but it's not like antivirus software was ever powerful enough to let users shut off their brains when using their computer.

Re:No way around strict privilege separation

[Sycraft-fu]

Also AV's main power for a long time has been on access/creation scanning. More or less it stops the viruses before they've a chance to become active. You run a virus scanner and anything coming in from the web, or a flash drive, or whatever is scanned. If a virus is detected, access is blocked. The virus can't get around that, since it isn't running. The AV stops it cold, before it has a chance to try anything.

Now that's not perfect, of course, the AV software has to have a signature for the virus, but it works pretty damn well. It is a good layer of security. Shouldn't be your only layer, but no layer should be your only layer.

This attack sounds like it is more useful against behavioural anti-virus. The AV notices a program doing shit it shouldn't and tries to stop it. Another good layer to have, but getting around it only gets you anywhere if you got the program to run in the first place.

As you say though, no matter what you just can't shut your brain off. There is no such thing as perfect security, physical or otherwise, and anyone who sells it to you is lying. Good security requires defense in depth and requires someone to be watching to make sure things are working and not getting broken through. AV software is useful, firewalls are useful, privilege separation (like UAC or sudo) is useful, but all of them still need you as a user not to be an idiot about it.

Re:

[Opportunist]

Unfortunately users do just that. I have AV, so I needn't watch out anymore.

A fitting car analogy would be the question whether they speed on an icy road just 'cause they got airbags.

All AV software?

[xulfer]

All AV software seems a little broad. This only seems to cover virus utilities that prevent viruses from attaching in the first place. I fail to see how this vulnerability would affect the large portion of av utilities that are simply scanners... e.g. clamav, etc.

So..

[Anrego]

Anti virus software has become increasingly ineffective? Potentially opens up even more venues for attack! The Windows system of limiting privileges isn't always effective??!!??!!

Next you'll be telling me that fire is hot, water is wet, sci.. you know the rest

I mean this is cool and all, it's a neat discovery... but I think the whole concept of anti virus software is critically flawed and has become completely ineffective.

Um, no...

[Joce640k]

This attack requires that badware is already running inside the machine it's trying to attack.

If badware is already running then ... um, how exactly does this attack up the ante?

Re:

[wastedlife]

The malware does not have to be running with administrative privileges in order to perform this attack. Otherwise, it is still pretty meh.

Re:

[poena.dare]

"the whole concept of anti virus software is critically flawed and has become completely ineffective"

I agree, but I'm still going to tell Grandpa to keep Norton updated. I also tell him not to browse pr0n sites, but since he saw Betty White on SNL last night I've got a whole new set a headaches to deal with!

Re:

[gilgongo]

I mean this is cool and all, it's a neat discovery... but I think the whole concept of anti virus software is critically flawed and has become completely ineffective.

Exactly. In fact, that's probably been the case since pretty much the coming of domestic broadband made botnets and related activity so huge. Really, I've not run any AV on my machine under my control since about 2001. I just make sure I'm using as little Microsoft software as possible, don't visit "strange" sites (outside of a VM at least!), and generally ignore any unexpected email attachments sent by anyone at all (and I strip out all executables at the mail gateway). That sounds like a lot of work, but

Found In Virtually All AV Software

[trifish]

They tested every obscure antivirus program out there, yet they did not test one of the most important ones -- Microsoft Security Essentials.

Seeing how obscure some of the tested AVs are, it's hard to believe their statement that "the only reason there are not more products in the following table is our time limitation."

Was MSE intentionally omitted because it is not vulnerable? Slashdot is more likely to reject such an article... It is actually very likely that MSE is not vulnerable, because Microsoft prod

Re:

[Vellmont]

You're right, they should have tested it. But I'd take serious issue with your contention that it's "one of the most important ones". MSE 1.0 was released on the 29th of September, 2009. So it's essentially a 7 month old product. I'd also note that it doesn't come as part of the OS, and it looks like you need to download and install the software yourself.

So given that, why do you think it's one of the most important ones?

Re:

[Runaway1956]

MSSE is important for the following reasons:

1: it's from Microsoft, hence, the nontechies will trust it to run well (The old mentality that "detroit knows best" when it comes to cars)
2: my testing indicates that MSSE is at least as effective as the "free" AV's, and possibly equal to the best paid AV's
3: the semi-computer literate can quickly find that MSSE is far less demanding of resources than almost any other AV
and
4: it's another "free" product which appeals to millions of people - AND any Bing search w

Re:

[NicknamesAreStupid]

Microsoft may not patch the kernel to integrate MSE, but MSE sure generates a lot of extra interrupts. And the overhead of handling them is onerous. I suspect they hook into the disc I/O. That would seem like a potential vulnerability.

Anagram?

[Theaetetus]

"Matousec"? Hmm...
"To use Mac"? Hey!

Re:

[517714]

"Cat" and "Mouse"

Follow Apple?

[ITI_guy]

If M$ would have only used the App Store model for software distribution we wouldn't need AV at all, and think of the profit!

Syscall Wrapper Exploits

[oggiejnr]

Can someone tell me what the difference is between this and syscall wrapper exploits which have been known about long enough to be lectured in undergraduate security courses?

Congradulations!

[jeff4747]

TFA has discovered "the rootkit".

Slashdot has really gone downhill

[MyLongNickName]

Okay, so basically your PC has some type of rootkit on it already. Then your AV is ineffective due to some obscure attack. Rent a clue, editors! If you have a rootkit, you are fucked anyway. There is no magical piece of software that will protect you from your machine being owned.... that is the definition of owned.

I can understand the general populous not getting this. I cannot understand Slashdot editors not getting such a basic concept.

Re:

[Securityemo]

This attack is apparently effective when the code executes as an unprivileged user, and from the model they've implemented it seems to not require any previous malicious code to reside on the system. Where did you get that from?

Re:

[Securityemo]

You're missing the point. This is a way to allow malicious binaries to execute without being picked up by anti-virus; of course, you need a way to get the code on the system in the first place (trojan, social engineering, dual-stage shellcode, etc...). It's not a compromising attack in an of itself, but a method to aid and hide standard attacks.

Re:

[MyLongNickName]

No, you are missing the point.

I have owned your machine. So, there is some exploit that now allows me to "fool" your AV. It requires pre-exsisting code. If I already have pre-existing code on your machine, then by definition I can do whatever I want on your machine. This has noting to do with the AV software.

and this is why LIVE FILESYSTEM ROMs are needed

[RobertLTux]

whatever platform the program is based on if you are booted to the system you are trying to clean then you have already lost ground.

of course a Posix type solution has the advantage of being mostly immune to the viruses on a Windows system.

So ...

[daveime]

So basically ...

It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC

Anyone who already has the ability to run a binary on your box can p0wn it ... well, no shit Sherlock. As that applies to every O/S, I wonder why Windows has been targeted as the "guilty party". Ah, Soulskill, say no more ...

Critical Flaw In "AV" Software?

[rawler]

And here I thought someone had found an exploit of a common audio-video codec, or just plain DCT or something interesting.

Anti-virus is an arms-race, and IMHO causes about as much problems as it solves. (Except the caused problems are rarely truly evil like the attacks stopped.)

Other examples where anti-virus software just fails;
* Decompression bombs
* McAfee:s recent XP borking
* Even good reputable AV seems to have problems catching up with months-old malware
* Let's not start

Re:Flaw explained in plain English here

[phoenix321]

All I see is an article that is applauding Apple for doing infrequent security updates for Safari, contrasted with Firefox, that does security updates with an - for that blogger - absolutely unbearable frequency and install time. Though, in objective reality, Firefox releases an update every two months or so and the update takes about a minute on any recent PC.

Also, I remember the rabid verbal attacks on Microsoft for NOT updating their browser fast and often enough. But Apple isn't perceived to leave known vulnerabilities unpatched like Microsoft did, they are seen as to spare their users from annoyances.

Their marketing dept is godlike.

Re:

[Runaway1956]

Your evaluation of Trollaxor's article is spot on. Opening sentence tells us that his computer is left idle for "weeks at a time" - which might be a fortnight, or six months, or even a year. If he returns to his computer after weeks away from it, the system is going to offer updates anyway - be it Windows or Linux. The computing world doesn't stop just because he has his head up some mummy's ass, or whatever the hell he does at a dig. Hmmmm. Wonder what his wife or girlfreind is doing during all those

Re:

[Rockoon]

Limited accounts only helps when the user CANT give permissions, but thats certainly not reality on home desktops where that user is God even if the account he is using doesn't say so.

User downloads XYZ_INSTALLER
User runs XYZ_INSTALLER
User discovers that XYZ_INSTALLER needs better permissions to install.
Users wants XYZ (thats why the user downloaded it) so user hands XYZ_INSTALLER the keys to the kingdom.

Part of the windows problem is that nearly all installers require escalation, therefore there is

Re:Is this a joke?

[Opportunist]

Aka Dancing Pig Problem [wikipedia.org].

Re:

[bhtooefr]

Except there's a difference between "a program I want" and "a program I trust."

If a random UAC prompt comes up, there's a chance that the user might realize something is wrong.

If a UAC prompt comes up on something the user downloaded willingly, though, the user will click Allow. EVERY TIME.

Re:Antivirus Design Flaw

[Runaway1956]

Long, long, long ago, I was out of town, and my laptop got dicked. I wasn't about to pay for a new Windows disk, nor did I have time or money to have a professional fix it. I went into a computer shop, talked awhile, and came out with an OnTrack SystemSuite disk, for which I paid about 15 bucks. Booted to it, ran the AV utility, and found nothing. Ran the rest of the utilities, and found that an improper shutdown had corrupted my MBR. Fixed the MBR, and booted up. Money well spent.

And, yes, you are right. That is precisely what the rest of the AV industry needs to peddle. If you can't boot to a clean environment, you're just screwed, whether it be virus problems, or any number of other problems.

Re:

[Z34107]

That is precisely what the rest of the AV industry needs to peddle. If you can't boot to a clean environment, you're just screwed, whether it be virus problems, or any number of other problems.

I actually wonder why more don't do this. Back when I ran a brand-new copy of Windows 98, my copy of McAfee (I was young and didn't know any better!) came with a boot floppy for just that purpose. Surely with Windows PE the whole process would be trivial - boot to the PE, download the most recent AV signatures, an

Re:

[gr8dude]

* You could have done "fdisk /mbr" or "fixmbr" (as of Win XP) for free.
* Some antivirus software comes with bootable CDs; I once used such a live CD from Kaspersky, it boots into a flavour of Linux, has a Windows-like GUI, understands NTFS volumes, connects to the Internet to retrieve the latest updates.

Of course, I believe common sense is the best antivirus: http://www.lazybit.com/index.php/2007/08/05/why_i_dont_use_an_antivirus?blog=2 [lazybit.com]

Re:

[Runaway1956]

Actually, there are a number of rescue disks available today - and some of them are perfectly free and legal to download and burn. Trinity comes readily to mind, which is based on Linux. The Geek Squad's CD has been pirated, and I've played with that - it has a boot menu, which allows you to load a *nix environment, or WinPE. I haven't explored that to thoroughly, but it's neat. Those are the *easiest* rescue CD's I've seen, but there are several more that require some degree of expertise in Linux to us

Re:

[Hurricane78]

Well, you could have saved those 15 bucks by simply booting your installation disk to the recovery console, and running fixmbr. Done. :)

Been there.