Google Found Disastrous Symantec and Norton Vulnerabilities That Are 'As Bad As It Gets'

Google's Project Zero team has discovered a heap of critical vulnerabilities in Symantec and Norton security products. The flaws, the team says, allow hackers to completely compromise people's machines by simply sending them malicious self-replicating code through unopened emails or un-clicked links. According to a Fortune report, the vulnerabilities affect millions of people who run the company's endpoint security and antivirus software -- all 17 enterprise products (Symantec brand) and eight consumer and small business products (Norton brand). Dan Goodin, reporting for Ars Technica:The flaws reside in the engine the products use to reverse the compression tools malware developers use to conceal their malicious payloads. The unpackers work by parsing code contained in files before they're allowed to be downloaded or executed. Because Symantec runs the unpackers directly in the operating system kernel, errors can allow attackers to gain complete control over the vulnerable machine. Tavis Ormandy, a researcher with Google's Project Zero, said a better design would be for unpackers to run in a security "sandbox," which isolates untrusted code from sensitive parts of an operating system.

Re: How to catch fopen() without hooking kernel?

[DarkOx]

Well that is harder than it sounds, in practice.

For example without additional modifications to the kernel does the scheduler know that not running your scan process essentially will cause I/O to stall for every other process?

Microsoft very sensibly provided kernel interfaces to address these issues, and was not going to allow these vendors to hook parts of the kernel during the run up to NT 6.x. They all got their panties in a twist though and cried that it would prevent them from innovating, the result is they have to deal with all these little interaction problems themselves, its actually harder than it looks and leads to bugs, either in terms of security or emergent behaviors and performance problems.

Re:How to catch fopen() without hooking kernel?

[LichtSpektren]

Without adding file system hooks to the kernel, how should a real-time antivirus tool trap attempts to read potentially infected files?

Sometimes I think the PC Matic guys are right: a whitelist is a more reliable way to block malware. But a whitelist requires more diligence to maintain if you don't want to turn a PC into a game console, and diligence is something sorely lacking in the non-technical majority.

A whitelist is useless. It will either--as you said--just lock down the computer a la Windows RT, or it won't prevent the admin from whitelisting whatever he wants to execute or install, thus retaining the exact same threat risk as before.

For optimal security, what one should do before executing an unknown binary is (1) first run it in a safe testing environment [e.g. a virtual machine] and carefully monitor the std streams to make sure it's not trying to do something malicious, and/or (2) use mandatory access control [e.g. SELinux, AppArmor] to profile the binary before executing it, thus ensuring that it won't be able to do anything beyond the realm of what the admin expects it to do. As additional safeguards, ALWAYS have multiple backups of important data. Also, a ZFS/btrfs snapshot would be good too.

But all of that's for the security-conscious. 99% of the human race won't bother with any of that--and that's why Windows has an atrocious reputation for security and crapware, because the UAC introduced in Vista has just conditioned people to click through everything, and even the very best antivirus programs (to this I am counting BitDefender and Kaspersky--NOT Norton, Symantec, McAfee, or Windows Defender) don't protect against zero-days. It's still not difficult to unintentionally cultivate malware just through email attachments and web browsers.

Linux is infinitely superior in this regard, since you have the baked-in defenses from POSIX, but also because the important Linux distros all ship with SELinux or AppArmor sandboxing the privileges of the email client and browser by default.