El Reg reports:
Organisations should get their antivirus products security tested before deployment because the technology across the board dangerously elevates attack surfaces, COSEINC researcher Joxean Koret says.
COSEINC is a Singapore security outfit that has run a critical eye about 17 major antivirus engines and products and found dangerous local and remotely-exploitable vulnerabilities in 14.
Koret's analysis also suggests that antivirus companies fail by requiring overly extensive privileges, not signing product updates and delivering those over insecure HTTP, running excessive old code and not conducting proper source code reviews and fuzzing.
The hall of shame included Avira, BitDefender, ESET, and Panda and included various multiple remote and local vulnerabilities both subsequently patched and remaining as zero-day.
While the core antivirus engines were mostly built with the defensive measure Address Space Layout Randomisation in place, many other functions were not including the user interfaces and libraries. Some major products had disabled data execution prevention.
AV engines were often built in C which led to vulnerabilities like buffer and integer overflows, installed operating system drivers that provided for local privilege escalation and supported a laundry list of file formats resulting in bugs within the respective parsers.
"AV engines make your computer more vulnerable with a varying degree of performance penalty [and] is as vulnerable to zero day attacks as the applications it tries to protect from. [It] can even lower the operating system exploiting mitigations."
"Some AV companies don't give a f**k about security in their products."
Some antivirus products were more responsive than others to Koret's disclosures, including Avast which ran a bug bounty and paid out an undisclosed sum for the bugs. The largest vendors weren't notified as they should be already dedicating their sizable resources to vulnerability research.
Also covered by Tom's Hardware and Security Week. You can access the slides from the presentation on-line or as a pdf.
(Score: 3, Informative) by Subsentient on Wednesday July 30 2014, @10:08PM
Buffer overruns? Is this the 1980s? Why do I still see sprintf() in modern, new code rather than snprintf()? Why do people forget bounds checking in for loop copies? Do you know how long it's been since I caught a bug like that in my shit? Damn. Almost as bad as K&R braces.
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 2, Insightful) by darkfeline on Wednesday July 30 2014, @10:11PM
Writing secure code is really hard, especially in languages like C that give you ample rope to hang yourself and your coworkers too. Even the most experienced programmer will make a mistake now and then, and let's not forget most programmers are nowhere near experienced.
Join the SDF Public Access UNIX System today!
(Score: 4, Funny) by Subsentient on Wednesday July 30 2014, @10:16PM
Indeed. I'm no master of anything other than C and was once mediocre in Python. That's why I don't learn C++, because I know it's going to be too large for me to memorize. I studied the C standard until it was burned into my brain, so I don't make too many of the common mistakes, I instead use mathematical incompetence, excessive commenting, and lots of whitespace to irritate people.
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 1) by Freeman on Wednesday July 30 2014, @11:04PM
I no understand what you are talking. Please explain Buffer Overruns.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 4, Informative) by N3Roaster on Wednesday July 30 2014, @11:41PM
A buffer overrun is when a program allocates some memory (a buffer) and then writes more data into it than was allocated (overrunning it). Depending on where things are in memory, this can result in overwriting things that are already in memory. Usually this results in the program promptly crashing but a clever attacker can use it to inject new instructions into the program. It's a very old and well understood problem which makes it all the more maddening that programmers are still making the mistakes that allow for this sort of thing.
Typica - Free software for coffee roasting professionals. [typica.us]
(Score: 3, Informative) by Hairyfeet on Thursday July 31 2014, @03:20AM
Which is why I give Comodo IS Free [comodo.com] to my customers because to pull a buffer underrun on most AVs you can use the browser while in Comodo IS Free the browser (and everything else unless told specifically not to) is run in a sandbox so they have to get out of the sandbox FIRST and then and ONLY then can they attempt it... I have some of the worst customers you can imagine, the kind that will clicky clicky on anything and have had ZERO infected machines brought back to me that had Comodo IS installed, not a single one.
To make a foolproof system I combine Comodo IS with Comodo Dragon and Comodo Icedragon for a one two punch that shuts the nasties down. The reason the Comodo browsers work better in this situation is they are designed to work in the Comodo sandbox with the absolute least privileges a browser can have and still function and this really stops bugs cold. I have a testbox in the shop and I went to known malware havens, your topsites and cracksites and while there was plenty of pages that Comodo kept from loading thanks to detected drivebys after I yanked the drive and scanned it with 4 different scanners? NO BUGS, none.
So if you have to deal with any "clicky clicky" happy family or friends give it a try, its free, doesn't tie a boat anchor to the system (I'm looking at YOU AVG Free!) and its default settings take care of everything without Auntie June having to know squat about malware or drivebys.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 3, Informative) by jelizondo on Thursday July 31 2014, @04:13AM
In the TFA Comodo appears with two vulnerabilities (p.16 of .PDF file)
Comodo: 2 heap overflows, one handling CHM files.
Perhaps you need to RTFA before recommending a solution?
(Score: 4, Insightful) by maxwell demon on Thursday July 31 2014, @07:20AM
Are those vulnerabilities in the sandbox, or in the sandboxed code? Because the parent's point wasn't that the product is bug free, but that the sandbox means that even if someone exploits a bug, he still has to escape the sandbox to do real harm.
Note that I've no idea whether what he says is true (I've followed the link and got a blank page; given that I'm a Linux user, I didn't have the motivation to find out what I should unblock to show the page; for me any page that doesn't show anything by default is broken by design (and certainly doesn't instil much confidence in the corresponding product).
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2, Troll) by Hairyfeet on Thursday July 31 2014, @09:37AM
You have to get out of the sandbox to use either one so.....good luck with that. Perhaps YOU should learn what a sandbox is and what it does before spouting off, yes?
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by No.Limit on Friday August 01 2014, @10:02AM
A sandbox isn't a 100% security guarantee. It's just another obstacle for an attacker. But sandboxes have been successfully broken out of ever since they came into existence.
Still, it's another layer which is nice, but don't get a false sense of security just because it's there.
(Score: 2) by Hairyfeet on Friday August 01 2014, @10:16AM
I have sat in the shop and TRIED to get a system infected with the Comodo sandbox running...no dice. Security Tool, Flash zero days, hell I even downloaded a version of flash from 5 years ago and went surfing topsites...again no joy.
So yes in the future there MAY be a bug that MIGHT figure out a way but I can tell you with 100% certainty that unless you got some juicy NSA bugs sitting around? Nothing you are gonna hit on the web today seems to be able to get out of the Comodo sandbox.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 3, Informative) by No.Limit on Friday August 01 2014, @12:35PM
How can you conclude from a finite amount of tests 100% certainty?!
A quick search for 'comodo sandbox exploit' revealed this [comodo.com]. On page 5 a user could confirm the exploit by reproducing it.
(Score: 1, Flamebait) by Hairyfeet on Friday August 01 2014, @01:52PM
You linked to a private video where "some guy" says "I totally broke it, take my word for it" but 1.- Won't allow you to see his proof, 2.- Won't answer questions about how he had his CIS set (since you can go in and dial down the protection) and 3.- Won't say whether or not he had disabled the built in (and active by default) HIPS which would have stopped any .exe alteration.
So yeah...I'm calling citation needed, because i can claim I hacked The Gibson but that don't mean shit if I refuse to actually show my work.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 3, Insightful) by No.Limit on Friday August 01 2014, @02:45PM
It's not about the video. (Though still weird that you can't see it. I could watch it without trouble, other users in the linked thread also had issues watching it)
However, as I wrote before on page 5 (reply #73) [comodo.com] a user could reproduce the exploit and thus confirm it.
On page 6 (reply #76) [comodo.com] another user could reproduce the exploit.
Also, the staff don't deny this exploit, in fact on page 7 (reply #95) [comodo.com] the CEO points out how good the community is at finding bugs.
(Score: 1, Flamebait) by Hairyfeet on Saturday August 02 2014, @03:01AM
According to the very next page the ONLY way the guy was able to get it to work was giving the thing admin rights.../facepalm/. You can't give something full admin rights and THEN try to put the genie back in the bottle, anybody who knows anything about permission levels would let you know that OS permission levels will override application permissions because that is how permissions work, it goes from the kernel to the OS to the application, not the other way around.
It is also a keygen crack, a keygen only patches memory by default and nowhere on the forum post you keep recalling can I find anybody that shows the hash of the actual file has changed after a reboot. if you know anything about how sandboxes work then you should know that programs can play in the memory assigned to them by the sandbox, hence why they are called sandboxes and not lockboxes. and again nowhere can I see that HIPS, which is activated by default, was running. in fact no less than 3 posters say if HIPS would have been running this wouldn't have been an issue which makes me think the HIPS has been disabled to get this to work. I don't consider crippling the AV on purpose (which by default can only be done by a logged in user with a privilege escalation, you can even require a password if you want an extra layer of security on HIPS) as a fair test. it also says specifically (post #85) that Comodo IS detects it as malware before it even runs which means the user has to specifically ALLOW it to stay on the system which I think even you would agree is NOT the typical behavior a person is gonna do when shown a malware warning box.
Frankly this reminds me of the only system I have EVER built that came back the next day infected with malware, I threw that guy out of my shop BTW. When he had me build his system he said "I want Limewire installed on it" and I told him politely "there is NO Limewire anymore, it was shutdown by the feds over 2 years ago. anything that says its Limewire is merely a virus calling itself Limewire. i can install one of several P2P programs on it if you wish but Limewire no longer exists"....I think you know where this is going. When he got home he went straight to Google, typed in "new Limewire" and when the AV tried to stop him infecting his system with a trojan he disabled and then uninstalled the AV when the built in HIPS refused to let him install it. When I pushed him out my shop he was saying "It says right there it is Limewire so you make it work!".
So I'm sorry but just because some fucktard cripples his antivirus so he can try to install some stolen software doesn't mean there is a problem with the AV, it means that fucktards shouldn't have admin rights on a system if they are too stupid not to listen to the AV when it screams "THIS IS MALWARE" and refuses to let the AV remove it. If you want to use that as criteria then there is no system short of a thin client running a locked disc image that can ever be safe, since the user DOES have the right ON ALL ANTIVIRUS PROGRAMS to disable the protection if he/she so chooses. I think you will be hard pressed to explain how its reasonable to have the OS pop up a box saying "This is malware" with the default behavior set to clean it (remove) and then refuse to listen to the antivirus, specifically tell the antivirus "ignore this/add to exclusions" (because if he merely closed the box it would be immediately reopened by the AV until they chose to remove or allow) and then complain that a program he told the AV to ignore is ignored when it does wonky behavior in the sandbox.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 0) by Anonymous Coward on Saturday August 02 2014, @03:39PM
Ahh, this is the same comodo that issued 9 certificates [sophos.com] to domains like login.live.com, www.google.com, mail.google.com, addons.mozilla.org to an iranian attacker.
No, you're absolutely right,
would surely never
especially after you've seen one to have
(Score: 2) by Hairyfeet on Sunday August 03 2014, @12:14AM
Its nice to see my FOSSie stalker is back, hi stalkie! the SN admins might want to take a look at the mod history as for the past week or so every post is modbombed. if the SN staff is playing the same bullshit that Slash does with modbombing then there really is no difference between slash and SN, especially since you can now just disable beta.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 1) by Freeman on Thursday July 31 2014, @03:52PM
I'm sorry. I actually do understand what a buffer overflow error is. I was attempting a very poor joke...
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 1) by N3Roaster on Thursday July 31 2014, @05:08PM
I didn't get it. A play on the people who complain about terms not being defined in the summary instead of just typing the unfamiliar term into their favorite search engine? No worries. I got some +1s from it. Maybe some day I'll get mod points.
Typica - Free software for coffee roasting professionals. [typica.us]
(Score: 2) by Reziac on Friday August 01 2014, @03:20AM
I missed the joke too (tho the post was funny!), but a very basic explanation like yours (which I think someone did as a cartoon -- XKCD?) is how I came to understand the concept of buffer overruns. So in my view it can never be explained too often, even as a response to a joke. :)
(I'm not a programmer, just an interested bystander)
And there is no Alkibiades to come back and save us from ourselves.
(Score: 1) by arslan on Wednesday July 30 2014, @10:52PM
Sounds these anti-viruses needs protection... an anti anti-virus? No that doesn't sound right..
(Score: 2) by meisterister on Wednesday July 30 2014, @11:10PM
I'd spring for that the next time I buy any sort of OEM system with a certain antivirus program that either manifests itself as Internet "security" or a reference to the number of degrees in a circle.
(May or may not have been) Posted from my K6-2, Athlon XP, or Pentium I/II/III.
(Score: 2) by gallondr00nk on Wednesday July 30 2014, @11:41PM
Sandbox it away from the rest of the disk ;)
(Score: 2) by aristarchus on Wednesday July 30 2014, @11:45PM
Besteht darin, das eine viruswarnung erst das virus ist.
(Score: 0) by Anonymous Coward on Thursday July 31 2014, @08:38PM
Technically, I think it would be an anti anti anti virus virus.
(Score: 3, Interesting) by dbe on Wednesday July 30 2014, @11:23PM
Pretty impressive presentation, but no words of Microsoft Security Essential?
I would expect this is one of the most commonly used AV and probably a prime target for an attacker.
-dbe
(Score: 1) by jelizondo on Thursday July 31 2014, @04:03AM
Perhaps you should RTFA... It was done for AV on Linux; last I checked Microsoft Security Essentials was only for Windows...
(Score: 0) by Anonymous Coward on Thursday July 31 2014, @10:10AM
That's information that belongs into the summary.
(Score: 0) by Anonymous Coward on Thursday July 31 2014, @12:00AM
...for not using Anti-virus software at all.
Have an image file ready to replace the OS when things look wrong in the process list.
(Score: 3, Interesting) by juggs on Thursday July 31 2014, @01:27AM
Sounds like an idea for a back to back study.
Take two otherwise identical, clean, newly installed Windows machines, each populated with typical user data (banking passwords kept in plain text files etc.).
Give each a popular domained email address any mail to which they must read.
Only difference:
PC A: No AV
PC B: With AV (pick one that is identified as being 'bad' in this study)
Have them drive around the same selection of websites - some banking, some porn, throw in some gambling sites.
See which ends up exfiltrating data first.
Perhaps run many PCs like this with different AV / security suites on.
Whatever the result, it would be a damn sight more informative benchmark than which AV suite picks up what % of known in the wild nasties.
In any case, once things look wrong in your process list (which they likely won't even when infected anyway), it's already too late - your ID has been stolen, your bank account drained and just for good measure some git encrypted all your files, which being a typical user (in the case of these sacrificial PCs) have not been backed up.
(Score: 0) by Anonymous Coward on Thursday July 31 2014, @02:08AM
True.
You need to have a bootup mode for browsing and another for sensitive data.
Sensitive data boots will always reset the drive image on next reboot.
Now do your test and see which of these models lags behind the other.