AVG, McAfee, Kaspersky Antiviruses All Had a Common Bug

An anonymous reader writes: Basic ASLR was not implemented in 3 major antivirus makers, allowing attackers to use the antivirus itself towards attacking Windows PCs. The bug, in layman terms, is: the antivirus would select the same memory address space every time it would run. If attackers found out the memory space's address, they could tell their malicious code to execute in the same space, at the same time, and have it execute with root privileges, which most antivirus have on Windows PCs. It's a basic requirement these days for software programmers to use ASLR (Address Space Layout Randomization) to prevent their code from executing in predictable locations. Affected products: AVG, McAfee, Kaspersky. All "quietly" issued fixes.

Re:Shouldn't this be done at the OS level?

[sexconker]

Windows users can download EMET to do this.
It's from MS and it's free. It lets you force a bunch of shit (like ASLR), lets you set up certificate pinning for websites (trust only certain certs or block specific certs), etc.
https://technet.microsoft.com/...

Re:Next thing to be exploited

[Zero__Kelvin]

Which is besides the point. They are basically saying: All that is required to exploit this "weakness" is to already have compromised the system to the degree that you can write to another processes code space! It is another nothing to see here, move along" article, where the person writing it doesn't understand how computers work.

Re:Not a major bug

[arth1]

Correct. Determinable address space is not a security problem in itself - it requires other security problems to be exploitable. And figuring out what the address space is in real-time is not that hard either; it just makes it harder. It's automated security through obscurity.

In some cases, it is preferable to make it sligtly easier for intruders who are already inside the system, in order to reap the benefits. Programs like "rebase" for Windows and "prelink" for Linux can preload a known address table into executables ahead of time, making them start faster and use less memory, because reallocation does not have to occur at load time.
Especially in an embedded world, that can make a boatload of difference.
Some look for silver bullets and want to impose ASLR (no, not the cameras) and https everywhere, whether needed or not, without considering the price of doing so. TANSTAAFL, and no silver bullets. They all come at a price, and sometimes the price is not right.

Fix the other security problems, and ASLR gives no added value, only drawbacks. But on a badly maintained system running software of dubious security value, sure, it can be a good addition. But make no mistake - it doesn't plug any holes, it just makes existing holes harder to exploit. At a cost.

Re:the biggest problem was the vendor.

The best security product around for several years now is found at adblockplus.org.

Re:Isn't this the responsibility of the OS?

[mikael]

You do get security enhanced Linux (SELinux). That added things like make files impossible to change (system owned executable files) even for root. But in order install something like the Nvdia device driver blob, you had to disable it, execute the .run file, and then reenable SELinux.

There are also "trusted" UNIX systems which log every file change, modification and permission code.

The idea of shared memory is that the shared memory segment appears as a linear block of memory to the original process that created. Then other processes can request read or read/write access to that memory. The intention is for use with device drivers which need to map a hardware address to the driver address space so it can read/write registers and buffers. Your network driver stores all the received and sent packets in a number of ring buffers. A graphics driver accesses the framebuffer and texture data in a similar way.

Your alternatives are to use TCP/IP sockets or OS managed pipes. Just send down the offset, number of bytes and a pointer to the data that you want to change.