Slashdot Mirror
Google Found Disastrous Symantec and Norton Vulnerabilities That Are 'As Bad As It Gets' (fortune.com)
Google's Project Zero team has discovered a heap of critical vulnerabilities in Symantec and Norton security products. The flaws, the team says, allow hackers to completely compromise people's machines by simply sending them malicious self-replicating code through unopened emails or un-clicked links. According to a Fortune report, the vulnerabilities affect millions of people who run the company's endpoint security and antivirus software -- all 17 enterprise products (Symantec brand) and eight consumer and small business products (Norton brand). Dan Goodin, reporting for Ars Technica:The flaws reside in the engine the products use to reverse the compression tools malware developers use to conceal their malicious payloads. The unpackers work by parsing code contained in files before they're allowed to be downloaded or executed. Because Symantec runs the unpackers directly in the operating system kernel, errors can allow attackers to gain complete control over the vulnerable machine. Tavis Ormandy, a researcher with Google's Project Zero, said a better design would be for unpackers to run in a security "sandbox," which isolates untrusted code from sensitive parts of an operating system.
They need to hijack all network and file operations, so they do need hooks in the kernel. But these should be minimal, passing the data down to a sandbox without even peeking inside. The fact data that is *expected to be malicious* is allowed to interact directly with kernel level code is definitely FUBAR.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
If it wasn't in the kernel, how would it constantly suck 50% of your CPU and slow your machine to a crawl?
Without adding file system hooks to the kernel, how should a real-time antivirus tool trap attempts to read potentially infected files?
Sometimes I think the PC Matic guys are right: a whitelist is a more reliable way to block malware. But a whitelist requires more diligence to maintain if you don't want to turn a PC into a game console, and diligence is something sorely lacking in the non-technical majority.
details straight from Project Zero
TIL that blogger was bought by Google in 2003...
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
I remember when Windows Vista came out Microsoft tried to lock down the kernel, but got sued by the above mentioned security vendors. This is what happens when you put your trust in third party vendors.
http://www.dailytech.com/Micro...
My workplace uses McAfee security products. We're safe.
They need to hijack all network and file operations, so they do need hooks in the kernel. But these should be minimal, passing the data down to a sandbox without even peeking inside. The fact data that is *expected to be malicious* is allowed to interact directly with kernel level code is definitely FUBAR.
That is a good point.
Obviously they do need to be in the kernel to check the operations, but the way you have broken it down makes a lot more sense than actually parsing items that are suspected of being malicious in kernel mode.
Pretty sad when convenience trumps security even in a security product.
ryanmc1: "I remember when Windows Vista came out Microsoft tried to lock down the kernel, but got sued by the above mentioned security vendors. This is what happens when you put your trust in third party vendors." link
'The whole "PatchGuard" concept shows how broken Microsoft's approach to an OS has become. The whole concept is to catch changes made by programs which already have full access to kernel space. By checking every five or ten minutes for a change, no less. That's inherently a futile exercise. It may break some current exploits, but it won't break new ones. Any program that has access to kernel space can take over the machine. It could load a whole new OS if it wanted to.' link
I told them they should have written it in Python
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
The 'real kernel' still needs to pass it down into the VM from physical media for processing. And the VM would need to be supervised by the host, not just launched and forgotten - the sandboxing won't help much if the virus hijacks the sandbox, and makes it pass everything through as 'clean' regardless of the content - the host needs to constantly monitor integrity of the checking process.
There are 'jailbreak' attacks that allow escaping VM sandbox and infecting the host, but they are difficult and rare.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
A bug in Norton? Really? How surprising. That's never happened before, has it?
People pay for Norton products all the time but I cannot in good conscience ever recommend any product from them. I have repaired computers that were literally damaged by simply installing norton products. I could go on and on (and have, many times when appropriate) about how this software doesn't work and is literally worse than nothing - based on MY OWN personal observations, and I am NOT alone.
But I don't go on about McAfee, I simply sum up McAfee products with one line: The only thing WORSE than any of the Norton products is anything from McAfee.
Not even worth the breath.
Flappinbooger isn't my real name
I was working for a developer who had a few video games published by Microsoft around the time NT was shipping. The games and marketing divisions where having it out with Dave Cutler and the NT team because the NT team was fighting like hell against putting anything that wasn't absolutely necessary in ring0 ("kernel") space. (The bulk of the NT team followed Cutler from DEC and were experience server OS developers). The NT team was taking the right approach for a server but on the hardware at the time that approach killed video/sound/etc performance (but on the up side, if your video driver crashed it wouldn't blue screen your server). It was made all the more exciting b/c Cutler was known for his temper. Ultimately they ended up putting it in ring0 and making other concessions for "consumers" and things just went down hill from there.
The ultimate irony is that Cutler ended up working on the HyperV implementation on the XBox One (among other things).
You're wrong on #2.
Porn sites do NOT spread malware. Maybe at one time they did, but not any more.
I have an anecdote to prove my point (this is the internet, after all)
A guy brings in his computer it has a virus. He's sure the kid has been doing "naughty" things on it and got it infected. Digital AIDS as it were.
I fixed the virus and did an "audit" of the PC's surfing history and searches and so on, giving me a timeline up to the point where it got infected.
The kid was indeed surfing porn. I asked the guy when he and momma went to bed. "10:00" he said. I told him I could tell. Little Johnny was surfing for "hot milfs", "Zoo porn" and other horrible things starting at 10:30. But the virus didn't get downloaded then.
The virus got downloaded at 7:30 in the morning when the adult got on the PC and did a google search for "TV Repair in [local town name]" and followed whatever link was there that took him to a fake antivirus driveby download.
In other words, Bestiality? Safe. TV Repair? Not safe.
I have other examples too, such as malicious ads on PBS kids and Drudge report and so on.
Flappinbooger isn't my real name
LD_PRELOAD doesn't intercept system calls, it intercepts library calls. Some of which do wrap system calls, but LD_PRELOAD helps you ZERO if you have a statically linked executable.
I'd imagine a lot of malware for Linux based operating systems very well might be statically linked, to avoid libc version dependencies.
You've misused the word "ultimately" to imply a stubborn impasse ending in capitulation.
That's not how things went. Cutler kept all that flaky shit out of ring0 long enough to get most of the bugs out of the core OS, without becoming befuddled by having so many fingers to point. The game vendors had to suck it for a while with a development model where their own bugs were obviously their own bugs. I'm sure this helped sober up some of the worst offenders immensely.
Then when they were finally allowed into the kernel, there wasn't a lot left to blame in the kernel (their huge investment in gaining credibility in the server space absolutely depended upon a stable kernel) and by now the game vendors were a lot less cavalier with their development methods. Moreover, Microsoft probably could have kicked them back out of ring0 again, should that have become an insufferable problem.
The ideal model would have been a tick box for the user which determined whether to kernel-load or not the video driver code. Then the astute user could play the game for a few weeks in some low-quality mode, and if it hasn't bombed out in user space, make a sane trade-off to jack performance.
Generally, if you don't have to trust something, you won't need to trust something. Violators will be quarantined at their own expense. Repeat offenders will be tarred and feathered in the gamer forums—by the big fucking A/B smoking gun. What an absolute joy that would have been. Popcorn not included.
Not a surprise. I've worked with IT guys who had worked on porn sites. They're obsessive about security. Competition is so fierce that anything that would give the user the least hesitation simply isn't tolerated.
Socialism: a lie told by totalitarians and believed by fools.
I have had Norton and Symantec on my own personal blacklist of entities I refuse to have anything to do ever since I installed some version of Norton Internet Security and it made my web browsing (and possibly other stuff) stop working until I completly uninstalled it.