Slashdot Mirror
Google Found Disastrous Symantec and Norton Vulnerabilities That Are 'As Bad As It Gets' (fortune.com)
Google's Project Zero team has discovered a heap of critical vulnerabilities in Symantec and Norton security products. The flaws, the team says, allow hackers to completely compromise people's machines by simply sending them malicious self-replicating code through unopened emails or un-clicked links. According to a Fortune report, the vulnerabilities affect millions of people who run the company's endpoint security and antivirus software -- all 17 enterprise products (Symantec brand) and eight consumer and small business products (Norton brand). Dan Goodin, reporting for Ars Technica:The flaws reside in the engine the products use to reverse the compression tools malware developers use to conceal their malicious payloads. The unpackers work by parsing code contained in files before they're allowed to be downloaded or executed. Because Symantec runs the unpackers directly in the operating system kernel, errors can allow attackers to gain complete control over the vulnerable machine. Tavis Ormandy, a researcher with Google's Project Zero, said a better design would be for unpackers to run in a security "sandbox," which isolates untrusted code from sensitive parts of an operating system.
Putting anti-virus anything in a kernel is down right stupid.
And I just renewed my subscription.
Oy! And these people call themselves professionals!
“He’s not deformed, he’s just drunk!”
This article is only about 15 years too late...
A bug in Norton? Really? How surprising. That's never happened before, has it?
Without adding file system hooks to the kernel, how should a real-time antivirus tool trap attempts to read potentially infected files?
Sometimes I think the PC Matic guys are right: a whitelist is a more reliable way to block malware. But a whitelist requires more diligence to maintain if you don't want to turn a PC into a game console, and diligence is something sorely lacking in the non-technical majority.
It doesn't look like it was submitted. It was written by an editor, who seems to have found the story. You can thank the editors and only the editors if you don't like the story. Also, they haven't addressed other important news. When ISIL detonated bombs in the Brussels airport, Slashdot posted a story within a few hours. The same thing happened in Istanbul and Slashdot still hasn't posted a story. If a white country in western or central Europe gets attacked, Slashdot is all over it. When it happens to Muslims and people of color, Slashdot doesn't care. It's quite bigoted, for sure.
Don't worry, the next vulnerability story will be from a source everyone here will approve of: The London Journal of Security Studies, Est. 1946 and Peer Reviewed by Leading Researchers Worldwide but Community Funded and Allowing Open Access.
This isn't the first time that Anti-Virus software has been known to have vulnerabilities in its code design, or it's core functionality. I do however think that this is one of the first in a good while that has such damaging vulnerabilities that should have cause for concern.
wouldnt it be obvious to run the unpackers in some kind of vm.
but what they did was write their own unpackers? since the unpacker is an executable part of the original, but there are couple of commonly used packers, so you could just implement that in your own code(because running the self unpacker from the thing itself would be... well it would just be running the vulns).
anyhow, this is finally proof that it's basically better to NOT BE RUNNING FUCKING ANYTHING than to be running the shit from symantec & all.
which kind of sucks, since now on windows you're totally fucked. you can't trust ms, you can't trust the os features, just updating windows defender makes you think twice about what other stuff gets in at the same time from ms. and because the winsxs ("windows components", kind of a place file store where stuff is symlinked from) gets corrupted easily, the updates stop on many windows 10 computers and the users will not even notice. . actually winsxs the least known biggest shit pile of windows - and bloats up. theres a command line control to clean it up. but if you're wondering on some computers why your installation of windows is 20 gigs then THAT is the explanation. but dont go deleting files from there, since it's likely to break something - or make windows just think it's broken when it is not. the "refresh" windows option was added because _that_ part of windows gets super fucked super easily and ms fired the only guys who knew how it's database works - apparently. because the refresh windows from windows option is only useful for fixing that, because otherwise you wouldn't be running it in the first place because you cant get to the refresh when some another part of windows is broken - so it is not useful if your windows is unbootable - and it's fucking ridiculous to be installing everything again because windows can't figure out what part of it is broken or how to fix it's component store.
(btw. don't install the intel auto driver installer/updater either. 50:50 chance of killing your windows installation bootability).
oh and ms likes to put included shitware in windows 10 as windows components so that if you uninstall them, or disable or dont install them, they will STILL be in winsxs gobbling up space and there doesn't exist tools to take them out(they're not marked as indibidual packages, even if they are individual packages inside winsxs).
it's just shit awful design.
details straight from Project Zero
TIL that blogger was bought by Google in 2003...
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
I remember when Windows Vista came out Microsoft tried to lock down the kernel, but got sued by the above mentioned security vendors. This is what happens when you put your trust in third party vendors.
http://www.dailytech.com/Micro...
My workplace uses McAfee security products. We're safe.
Is this new, or from a few weeks ago? The date on TFA is from today but the description of the bug is nearly identical to stuff that hit the news stands about a month ago, even down to some identical wording. I can't tell if I need to make sure I get patched ASAP, or if this is something that's already been covered with earlier updates.
The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
Unencrypted shards. Who thought it would be a good idea to send "commandlets" across a network without the least bit of security? Commandlets that execute with admin privileges...
The Air Force, that's who. They've bought into Tanium hook, line, and sinker.
Because muzzie-on-muzzie violence is not news, it's just what they do. Stop moaning.
The best antivirus ever is to use your fucking brain when you surf the Internet. And, if you don't have a brain, to stay OFF the fucking Internet.
99.999% of all viruses and malware are distributed by one of these three methods:
1) Spamming email addresses with infected links promising penile enlargement, instant riches, or notifying you of a problem with an account you don't even have at a bank you've never heard of (and yet people still fall for it)
2) Porn sites. All of them spread viruses and malware. That is their job.
3) "One weird trick," "You'll be shocked," "They don't want you to know," and "This simple method" spam traps on Facebook and other social media sites.
Stop doing these three simple things, and you won't believe the results when it comes to the one weird trick the big AV makers don't want you to know about.
ryanmc1: "I remember when Windows Vista came out Microsoft tried to lock down the kernel, but got sued by the above mentioned security vendors. This is what happens when you put your trust in third party vendors." link
'The whole "PatchGuard" concept shows how broken Microsoft's approach to an OS has become. The whole concept is to catch changes made by programs which already have full access to kernel space. By checking every five or ten minutes for a change, no less. That's inherently a futile exercise. It may break some current exploits, but it won't break new ones. Any program that has access to kernel space can take over the machine. It could load a whole new OS if it wanted to.' link
Oh wait, this is Windows. It probably doesn't have anything like that in user space to intercept system calls.
Who's daddy do you trust?
Internet Storm Center has a writeup and a test file you can download: https://isc.sans.edu/forums/di...
These two craptastic and inept vendors have awful products. Why would anyone be surprised that their products are a pile of steaming turds?
Trust no one...especially Google.
I was working for a developer who had a few video games published by Microsoft around the time NT was shipping. The games and marketing divisions where having it out with Dave Cutler and the NT team because the NT team was fighting like hell against putting anything that wasn't absolutely necessary in ring0 ("kernel") space. (The bulk of the NT team followed Cutler from DEC and were experience server OS developers). The NT team was taking the right approach for a server but on the hardware at the time that approach killed video/sound/etc performance (but on the up side, if your video driver crashed it wouldn't blue screen your server). It was made all the more exciting b/c Cutler was known for his temper. Ultimately they ended up putting it in ring0 and making other concessions for "consumers" and things just went down hill from there.
The ultimate irony is that Cutler ended up working on the HyperV implementation on the XBox One (among other things).
"The flaws, the team says, allow hackers to completely compromise people's machines by simply sending them malicious self-replicating code through unopened emails or un-clicked links."
Okay, now that's funny. I bet the NSA/FBI/CIA is having a fucking field day with this little flaw. Unless you can prevent everyone from sending you an email (!!) you can be compromised. And that is pretty much the whole fucking point of email: to receive an email.
"The unpackers work by parsing code contained in files before they're allowed to be downloaded or executed. Because Symantec runs the unpackers directly in the operating system kernel, errors can allow attackers to gain complete control over the vulnerable machine."
Gee whiz, it sounds like Billy-Bob Programmer had too many tokes at lunch and forgot about the system kernel security thingy or whatever. Ooopsie.
Just cruising through this digital world at 33 1/3 rpm...
This got me thinking of the maliciously constructed ZIP/RAR files that would expand endlessly from a very small zip into files that were larger than any hard drive could handle, as well as make directory/file structures so deep you couldn't delete them in windows. Sure these days they are hiding malicious payloads in there as the above bugs mention, but I could see one of these being the payload for annoyance purposes if they still exist.
Horror & SciFi Erotic Nudes
You've misused the word "ultimately" to imply a stubborn impasse ending in capitulation.
That's not how things went. Cutler kept all that flaky shit out of ring0 long enough to get most of the bugs out of the core OS, without becoming befuddled by having so many fingers to point. The game vendors had to suck it for a while with a development model where their own bugs were obviously their own bugs. I'm sure this helped sober up some of the worst offenders immensely.
Then when they were finally allowed into the kernel, there wasn't a lot left to blame in the kernel (their huge investment in gaining credibility in the server space absolutely depended upon a stable kernel) and by now the game vendors were a lot less cavalier with their development methods. Moreover, Microsoft probably could have kicked them back out of ring0 again, should that have become an insufferable problem.
The ideal model would have been a tick box for the user which determined whether to kernel-load or not the video driver code. Then the astute user could play the game for a few weeks in some low-quality mode, and if it hasn't bombed out in user space, make a sane trade-off to jack performance.
Generally, if you don't have to trust something, you won't need to trust something. Violators will be quarantined at their own expense. Repeat offenders will be tarred and feathered in the gamer forums—by the big fucking A/B smoking gun. What an absolute joy that would have been. Popcorn not included.
Let's just be clear on what happened here. A library used to defend against malware itself has a zero-day which is targetable by malware. This from an industry that has decades of programming effort to doing just one thing, and attracts some of the best of the best as developers.
Just pointing this out explicitly for everyone who thinks that IoT won't wreak real physical harm, potentially on a on a scale previously unheard of and (as a consequence) programming same will be not be tightly regulated and licensed with fingerprints and code signing and background checks and everything else the national security state can think of. Because it will. Because, as this shows, you cannot stop malware no matter how hard you try.
IoT is going to end programming freedom as we know it.
And still we rush headlong into its arms.
PatchGuard isn't intended to catch exploits; it's intended to stop driver developers from modifying the kernel.
if you care about security on your machine, switch to F-Secure or Kaspersky.
...for sure.
Ok, so which Formula 1 driver are you?
I have had Norton and Symantec on my own personal blacklist of entities I refuse to have anything to do ever since I installed some version of Norton Internet Security and it made my web browsing (and possibly other stuff) stop working until I completly uninstalled it.
Windows has no equivalent function to AppArmor or SELinux to profile an executive's privileges before running it.
Windows 8 introduces "AppContainer", which IE uses for its Enhanced Protected Mode. An AppContainer provides a capability model analogous to Android permissions. UWP applications likewise runs in an AppContainer. Google Chrome is based on Chromium, which has its own sandbox that uses AppContainer when available.
What Linux distro ships Chrome as the default browser? None of the main ones (Ubuntu, Mint, RHEL/CentOS, [open]SUSE, Debian, Arch, Gentoo).
Talk about moving the goal posts. But, AFAIK Chromium will happily do the same. But, then, I guess you'll try to claim that's not "default" too or some BS.
It isn't default. Do any of these ship Chromium in the install image, or do they all ship Firefox?
" Tavis Ormandy, a researcher with Google's Project Zero," I wonder if tavis is any relation to Eugene Ormandy the great Conductor of the Philly Orchestra ???Hmmm.
Symantec is the elephant graveyard of software. Any software that Symantec acquires, no matter how good it was originally, will turn to crap. We saw it with Norton Antivirus, Norton Utilities, a couple other things.
For a while their enterprise antivirus product bucked the curve and actually did reasonably well, but I guess that was just a statistical anomaly that Symantec has since corrected.
I thought everyone knew about not doing dumb stuff like this no later than 1999. The Unix world knew that way back in the 1980s. So I suppose Windows is still around 30 years behind.
Just how thoroughly have hackers licked antivirus programs? So thoroughly that even Symantec, which essentially invented commercial antivirus, is jumping ship on the concept, the Wall Street Journal reports. Antivirus "is dead," Symantec Senior VP Brian Dye tells the paper. "We don't think of antivirus as a moneymaker in any way." Symantec's new stance, he explains, will be to assume that hackers can and will break through any antivirus protection, and to focus on containing the damage once they do. Symantec will create a response team businesses can call on if they've been hacked, intelligence briefings they can buy on specific threats, and technologies for identifying advanced malware in networks. Rivals already have similar products—as Channelnomics notes, other companies have been decrying the decline in antivirus effectiveness for years—but Symantec is hoping its conversion, even if late, can stem plummeting revenue. Dye says the company realized it was time "to get your act together and go play the game you should have been playing in the first place." http://www.newser.com/story/18... http://www.techweekeurope.co.u...