Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical Flaw Found In Virtually All AV Software

Posted by Soulskill on from the if-only-there-were-something-more-monolithic-to-blame dept.

Securityemo writes "The Register is running an article about a new method to bypass antivirus software, discovered by Matousec. By sending benign code to the antivirus driver hooks, and switching it out for malicious code at the last moment, the antivirus can be completely bypassed. This attack is apparently much more reliable on multi-core systems. Here's the original research paper." El Reg notes that "The technique works even when Windows is running under an account with limited privileges," but "it requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC."

3 of 279 comments (clear)

  1. Re:Ubuntu by Antique+Geekmeister · · Score: 3, Informative

    What? "Culture", better written _core_ utilities, and the open access to the base software rather than the secretive and obscure security models of NT all contribute massively to Linux security by comparison. The smaller system components are easier and safer to do well. Also, while the kernel of NT was based on VMS when David Cutler stole his old work from DEC, it was forced to integrate numerous historical poor choices of DOS, Windows 3.x, and Windows 95 to provide backwards compatibility. These have been a _disaster_ in security terms, and very difficult to address due to the closed nature of the code and difficulty of upgrading other components to preserve compatibility.

    Some of the most "secure" components of NT, such as Active Directory, are actually due to its integration of far more secure open source components such as Kerberos, and its use of open standards such as DNS, DHCP, and LDAP to replace Microsoft's older versions of "NetBIOS" (which they also did not invent, it came from IBM and IBM discarded it years ago).

  2. Re:Ubuntu by toadlife · · Score: 3, Informative

    A program can't wait in the background and get root when someone types sudo.

    When password caching is turned in (like it is by default in Ubuntu) yes, it can.

    --
    I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
  3. Re:Ubuntu by drsmithy · · Score: 5, Informative

    The Windows and Linux security models are virtually identical if you exclude MAC (SELinux etc.).

    Except for NT having no concept of a superuser and Linux utterly dependent on one to implement nearly all aspects of a usable system.
    Except for the finest granularity in Linux being the group and in NT the user.
    Except for the utter nightmare in Linux trying to create exclusionary or complicated sets of permissions with multiple users and/or groups.
    Except for the NT ACLs applying to nearly all objects in the OS, and in Linux only things represented in the filesystem.
    Except for NT ACLs controlling nearly all ways to manipulate an object and in Linux being limited to read, write and execute.

    "Virtually the same" my arse. NT's security model is vastly more capable than traditional UNIX's.

    The main difference is that people actually understand the basic Unix model of users and groups and so they often manage to set their file permissions to something relatively sane. Practically noone uses the full power of ACL's on either system.

    NT's permissions capabilities are a superset of Linux's. If someone understands the latter, then they can implement something *at least* as good on the former with the same amount of effort.