Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical Flaw Found In Virtually All AV Software

Posted by Soulskill on from the if-only-there-were-something-more-monolithic-to-blame dept.

Securityemo writes "The Register is running an article about a new method to bypass antivirus software, discovered by Matousec. By sending benign code to the antivirus driver hooks, and switching it out for malicious code at the last moment, the antivirus can be completely bypassed. This attack is apparently much more reliable on multi-core systems. Here's the original research paper." El Reg notes that "The technique works even when Windows is running under an account with limited privileges," but "it requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC."

1 of 279 comments (clear)

  1. Re:Ubuntu by drsmithy · · Score: 5, Informative

    The Windows and Linux security models are virtually identical if you exclude MAC (SELinux etc.).

    Except for NT having no concept of a superuser and Linux utterly dependent on one to implement nearly all aspects of a usable system.
    Except for the finest granularity in Linux being the group and in NT the user.
    Except for the utter nightmare in Linux trying to create exclusionary or complicated sets of permissions with multiple users and/or groups.
    Except for the NT ACLs applying to nearly all objects in the OS, and in Linux only things represented in the filesystem.
    Except for NT ACLs controlling nearly all ways to manipulate an object and in Linux being limited to read, write and execute.

    "Virtually the same" my arse. NT's security model is vastly more capable than traditional UNIX's.

    The main difference is that people actually understand the basic Unix model of users and groups and so they often manage to set their file permissions to something relatively sane. Practically noone uses the full power of ACL's on either system.

    NT's permissions capabilities are a superset of Linux's. If someone understands the latter, then they can implement something *at least* as good on the former with the same amount of effort.