Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.
posted by cmn32480 on Tuesday November 14, @03:12AM   Printer-friendly
from the still-better-with-than-without dept.

Submitted via IRC for SoyCow1984

Antivirus programs, in many cases, make us safer on the Internet. Other times, they open us to attacks that otherwise wouldn't be possible. On Friday, a researcher documented an example of the latter—a vulnerability he found in about a dozen name-brand AV programs that allows attackers who already have a toehold on a targeted computer to gain complete system control.

AVGater, as the researcher is calling the vulnerability, works by relocating malware already put into an AV quarantine folder to a location of the attacker's choosing. Attackers can exploit it by first getting a vulnerable AV program to quarantine a piece of malicious code and then moving it into a sensitive directory such as C:\Windows or C:\Program Files, which normally would be off-limits to the attacker. Six of the affected AV programs have patched the vulnerability after it was privately reported. The remaining brands have yet to fix it, said Florian Bogner, a Vienna, Austria-based security researcher who gets paid to hack businesses so he can help them identify weaknesses in their networks.

Bogner said he developed a series of AVGater exploits during several assignments that called for him to penetrate deep inside customer networks. Using malicious phishing e-mails, he was able to infect employee PCs, but he still faced a significant challenge. Because company administrators set up the PCs to run with limited system privileges, Bogner's malware was unable to access the password database—known as the Security Account Manager—that stored credentials he needed to pivot onto the corporate network.

"With the help of AVGater, I gained local admin privileges," Bogner wrote in an e-mail. With full control over the employee computer his exploit provided, he had no trouble accessing the credential store, which is commonly known as a SAM database. "So AVGater was VERY useful during several of our pentests and red-teaming assignments."

Source: https://arstechnica.com/information-technology/2017/11/how-av-can-open-you-to-attacks-that-otherwise-wouldnt-be-possible/


Original Submission

Display Options Threshold/Breakthrough

Reply to Article

Mark All as Read

Mark All as Unread

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 0) by Anonymous Coward on Tuesday November 14, @03:24AM (6 children)

    by Anonymous Coward on Tuesday November 14, @03:24AM (#596642)

    And android that must be a total accident

    • (Score: 4, Insightful) by Runaway1956 on Tuesday November 14, @03:34AM (5 children)

      by Runaway1956 (2926) Subscriber Badge on Tuesday November 14, @03:34AM (#596646) Journal

      The need for an AV isn't exactly "built into Android". Most of the vulnerabilities in Android are baked in by the manufacturers and the Telco customers. If the supply chain weren't so insistent on monitoring and data mining their end customers, Android would be much more secure than it is today. The open source code that Google published is NOT what you get on your "smart" phone. But, you already knew that, didn't you? If your device (phone, laptop, desktop, server, mainframe, whatever) comes with preinstalled malware, then your device is already pwned. You can't really blame the operating system when some third party also pwns your device.

      --
      This broadcast is intended for mature audiences.
      • (Score: 0) by Anonymous Coward on Tuesday November 14, @03:50AM (2 children)

        by Anonymous Coward on Tuesday November 14, @03:50AM (#596653)

        You have failed to understand my sarcasm, windows and android are both agents of the state and there intent is to murder you in whatever way is convenient for whatever agent of the state needs you dead at that moment.

        • (Score: 2) by tibman on Tuesday November 14, @02:41PM (1 child)

          by tibman (134) Subscriber Badge on Tuesday November 14, @02:41PM (#596802)

          How do you see through all the chemtrails?

          --
          SN won't survive on lurkers alone. Write comments.
          • (Score: 0) by Anonymous Coward on Tuesday November 14, @03:22PM

            by Anonymous Coward on Tuesday November 14, @03:22PM (#596820)

            Tinfoil glasses.

      • (Score: 1) by dwilson on Tuesday November 14, @05:50AM

        by dwilson (2599) on Tuesday November 14, @05:50AM (#596672)

        How about LineageOS? Would you call that better or worse than the pre-installed crapware?

        I've been running it since May, on a five year old phone. It shows, too. But I've always considered it worthwhile in spite of the various quirks and irritations that a not-quite-fast-enough system will manifest when running the latest and greatest.

        --
        - D
      • (Score: 2) by TheRaven on Tuesday November 14, @11:18AM

        by TheRaven (270) on Tuesday November 14, @11:18AM (#596748) Journal
        I run LineageOS and keep an eye on the CVE list. There have been around 400 CVEs for my phone since it was first released about 4 years ago. These are in the Linux kernel, drivers, and core bits of the Android system. None of the ones that I've seen are anything to do with a desire to monitor me from anyone in the supply chain, they're all the result of crappy coding practices at Google and OEMs.
        --
        sudo mod me up
  • (Score: -1, Offtopic) by Anonymous Coward on Tuesday November 14, @03:30AM

    by Anonymous Coward on Tuesday November 14, @03:30AM (#596645)

    Things are just different violence not comprehension is the world, madness and hatred is the norm, there is no way to walk this back until we blow it up. people are sick sociopaths, that is the majority, we cannot survive on that.

  • (Score: 1, Informative) by Anonymous Coward on Tuesday November 14, @06:07AM (3 children)

    by Anonymous Coward on Tuesday November 14, @06:07AM (#596678)

    If you're doing things right, running real time AV actually makes your system more insecure:
    https://arstechnica.com/information-technology/2017/06/latest-high-severity-flaw-in-windows-defender-highlights-the-dark-side-of-av/ [arstechnica.com]
    http://www.securityweek.com/critical-vulnerability-symantec-av-engine-can-be-exploited-sending-email [securityweek.com]
    https://googleprojectzero.blogspot.my/2016/06/how-to-compromise-enterprise-endpoint.html [blogspot.my]
    https://www.pcworld.com/article/3020327/antivirus-software-could-make-your-company-more-vulnerable.html [pcworld.com]
    http://www.blackhat.com/presentations/bh-europe-08/Feng-Xue/Whitepaper/bh-eu-08-xue-WP.pdf [blackhat.com]

    And more unstable/unreliable- every few years some AV vendor screws up and blocks a critical OS file.

    And for all that real time AV slows down your system.

    Secure your system and practices so that AV won't be needed and if you need to scan for malware use someone else's machines ( e.g. VirusTotal) to scan for viruses.

    • (Score: 0) by Anonymous Coward on Tuesday November 14, @07:49AM

      by Anonymous Coward on Tuesday November 14, @07:49AM (#596704)

      Me neither. Then again I don't run M$ Winders either.

    • (Score: 3, Interesting) by TheRaven on Tuesday November 14, @11:21AM (1 child)

      by TheRaven (270) on Tuesday November 14, @11:21AM (#596749) Journal
      Over a decade ago, one of my colleagues published a paper showing that frameworks that do system call interposition are vulnerable to time of check to time of use attacks. A decade later, most AV vendors are still using this technique. The Symantec vulnerability in that list is my favourite, because it highlights the fact that AV vendors have absolutely no idea how to write secure code. Can you imagine the train of thought that would lead someone to decide that the best place to run some code that deals with malicious data in complex file formats is in the kernel? Any sane implementation would run the scanner in an unprivileged process with no access to anything in the system. At worst, if it's compromised then it would report false negatives, whereas in the Symantec version a compromise in the image decoder let the attacker run arbitrary code in the kernel.
      --
      sudo mod me up
      • (Score: 2, Informative) by Anonymous Coward on Tuesday November 14, @05:39PM

        by Anonymous Coward on Tuesday November 14, @05:39PM (#596876)

        FWIW, you can run ClamAV in just that manner, you startup clamd and have it drop privileges. You then use the clamdscan (note the "D" in the command name), which is privileged. All that program does is determine whether a file is one you wanted scanned or not and if it is, then the read-only file descriptor (or, if that is unavailable, a raw copy of the file) is sent via a UDS to the daemon. Much more secure because if there is a bug in the scanner itself, then you are only as vulnerable as the sandbox you put it in.

  • (Score: 3, Insightful) by aristarchus on Tuesday November 14, @08:23AM (8 children)

    by aristarchus (2645) Subscriber Badge on Tuesday November 14, @08:23AM (#596710) Journal

    Attackers can exploit it by first getting a vulnerable AV program to quarantine a piece of malicious code and then moving it into a sensitive directory such as C:\Windows or C:\Program Files, which normally would be off-limits to the attacker.

    Oh, we found the problem. I was first tipped off by this idea that one would run something called "anti-virus" software. Did not Microsoft make their operating system correctly? Oh, they didn't? And you poor bastards, and I mean that sincerely, you poor bastards (includes one of our "editors", strangely enough), actually put up with this, and, and, (here's the catch), pay money to be so severely screwed over on the security front? Really?

    --
    If you could ensure that your submissions are balanced, accurate and unbiased, you might stand a better chance
    • (Score: 1, Insightful) by Anonymous Coward on Tuesday November 14, @08:58AM

      by Anonymous Coward on Tuesday November 14, @08:58AM (#596717)

      Oh, you noticed that still-better-with-than-without fallacy as well.

      -- OriginalOwner_ [soylentnews.org]

    • (Score: 3, Troll) by TheRaven on Tuesday November 14, @11:49AM (6 children)

      by TheRaven (270) on Tuesday November 14, @11:49AM (#596754) Journal
      You seem very smug, perhaps you can tell us what OS you run that hasn't had any security vulnerabilities in the past year?
      --
      sudo mod me up
      • (Score: 3, Funny) by nobu_the_bard on Tuesday November 14, @02:04PM (1 child)

        by nobu_the_bard (6373) on Tuesday November 14, @02:04PM (#596785)

        MS-DOS 5.1

        • (Score: 1, Informative) by Anonymous Coward on Wednesday November 15, @01:38AM

          by Anonymous Coward on Wednesday November 15, @01:38AM (#597087)

          There's no such thing.

      • (Score: 1, Funny) by Anonymous Coward on Tuesday November 14, @05:57PM

        by Anonymous Coward on Tuesday November 14, @05:57PM (#596880)

        I have a bunch of Drones locked up in my basement that recite zeroes and ones to a custom made (also made from drones) processing unit which then flips cards on a large screen.
        It's a bit on the slow side, but very secure... (as long as they don't escape)
        It's also cheaper to run than an iphone

      • (Score: 4, Insightful) by aristarchus on Tuesday November 14, @06:44PM

        by aristarchus (2645) Subscriber Badge on Tuesday November 14, @06:44PM (#596903) Journal

        "Tu Quoque, evermore!" quoth TheRaven? Surely we are past the point when anyone can be smug just for mocking Windows users. And it does not matter what "other" OS said mocker is running, this is a Windows vulnerability.

        --
        If you could ensure that your submissions are balanced, accurate and unbiased, you might stand a better chance
      • (Score: 2) by Runaway1956 on Saturday November 18, @02:54AM (1 child)

        by Runaway1956 (2926) Subscriber Badge on Saturday November 18, @02:54AM (#598522) Journal

        The issue is not whether a system, a software, or application has vulnerabilities. The issue is, how often are vulnerabilities found, and, how quickly are they addressed.

        For a couple of decades, Windows led the world in the number of vulnerabilities, and the frequency with which more vulnerabilities were found. Adobe took over that position, for at least a short while. Even Adobe finally decided that it was best not to even install Flash.

        I generally dislike using the term "engineering" when I talk of software. But, all Unix-likes had security engineered in from day one. Every file on a *nix is owned by someone, and permissions are pretty strictly observed. With Windows, security was a mere afterthought, poorly thought out, and poorly implemented. For those reasons alone, few people who run a *nix ever bothers with any security products. Our most common vulnerabilities are out web browsers. Securing our browsers is generally the most important part of maintaining secure systems.

        Don't misunderstand me, please: ALL operating systems have vulnerabilities. Mankind has never produced anything that is perfect, so of course the *nixes are imperfect. But, *nix strives to become more perfect all the time. And, *nix understands that the definition of "perfect" is NOT "how can we milk our users most efficiently?"

        Bear in mind that worldwide, virtually all end users are the victims of a decades long propaganda campaing on the part of Microsoft. They've used every dirty, unethical trick in the book to gain their level of dominance, and they continue today with their unethical conduct.

        Need a "for instance"? Windows X being forced onto users who never wanted it. Windows X "telemetry". Windows X advertising. Everything about Windows X is just wrong, wrong, wrong. A lot of things were right in Win 7, and Microsoft tore every bit of rightness out of Win 7, to replace it with a giant, intrusive, spyware program.

        And, consumers have just accepted that.

        --
        This broadcast is intended for mature audiences.
        • (Score: 2) by TheRaven on Sunday November 19, @08:57PM

          by TheRaven (270) on Sunday November 19, @08:57PM (#599033) Journal

          For a couple of decades, Windows led the world in the number of vulnerabilities, and the frequency with which more vulnerabilities were found

          They did, then Microsoft invested a couple of billion in static and dynamic analysis tools. They required all certified device drivers to run the static analysis tools, shipped all system DLLs with control-flow integrity enabled by default, added zero-address-space-reuse allocators for a lot of system services and moved others to being written in a managed language to avoid memory safety errors.

          But, all Unix-likes had security engineered in from day one.

          This is absolute nonsense. 'UNIX security' was a joke until the mid '90s.

          Every file on a *nix is owned by someone, and permissions are pretty strictly observed. With Windows, security was a mere afterthought, poorly thought out, and poorly implemented

          The traditional UNIX security model gives every file a simple 9-bit bitmask of permissions for everyone, owner, and group. In contrast, Windows NT has had access control lists for every single kernel object since its creation. These can specify a range around a dozen permissions for each user in the system independently. Modern *NIX systems add these, but I've rarely seen them used in real deployments.

          For those reasons alone, few people who run a *nix ever bothers with any security products.

          The Linux kernel alone has had well over a hundred CVEs this year, including several that allow remote arbitrary code execution. A lot of open source server packages have also had vulnerabilities, even without going to the security nightmare that is PHP. If you think running *NIX makes you safe, you really shouldn't be running a server attached to the Internet.

          --
          sudo mod me up
(1)