Slashdot Mirror

← Back to Stories (view on slashdot.org)

New 'Illusion Gap' Attack Bypasses Windows Defender Scans (bleepingcomputer.com)

Posted by EditorDavid on from the evasive-exploits dept.

An anonymous reader writes: Security researchers have discovered a new technique that allows malware to bypass Windows Defender, the standard security software that comes included with all Windows operating systems. The technique -- nicknamed Illusion Gap -- relies on a mixture of both social engineering and the use of a rogue SMB server.

The attack exploits a design choice in how Windows Defender scans files stored on an SMB share before execution. For Illusion Gap to work, the attacker must convince a user to execute a file hosted on a malicious SMB server under his control. This is not as complex as it sounds, as a simple shortcut file is all that's needed.

The problems occur after the user double-clicks this malicious file. By default, Windows will request from the SMB server a copy of the file for the task of creating the process that executes the file, while Windows Defender will request a copy of the file in order to scan it. SMB servers can distinguish between these two requests, and this is a problem because an attacker can configure their malicious SMB server to respond with two different files. The attacker can send a malicious file to the Windows PE Loader, and a benign file to Windows Defender. After Windows Defender scans the clean file and gives the go-ahead, Windows PE Loader will execute the malicious file without Windows Defender realizing they're two different things. Microsoft declined to patch the bug, considering it a "feature request."

74 comments

  1. more epic corporate microsoft clusterfuck by Anonymous Coward · · Score: 0

    epic corporate microsoft clusterfuck network

  2. Wastes bandwidth too... by green1 · · Score: 4, Insightful

    Why send a file once when you can send it twice instead?

    1. Re:Wastes bandwidth too... by Anonymous Coward · · Score: 1

      this is what pisses me off the most.

      try doing it with a 500mb installer .exe, even over gigabit it takes FOREVER.

    2. Re:Wastes bandwidth too... by Anonymous Coward · · Score: 0

      They probably cannot hook into the low level file request, just intercepting the path and requesting it again for windows defender.

    3. Re:Wastes bandwidth too... by michelcolman · · Score: 4, Insightful

      That doesn't make any sense. The system should just download the file, give it to Windows Defender, wait for its reply, and then execute the file if it's OK. Or, if you can't trust the non-defender part of the system, ask Defender to download the file, then let Defender hand it over to the system to execute. No matter how you do it, a single download is faster AND more secure.

      Why download a file twice? Bandwidth is too cheap nowadays, I suppose?

    4. Re:Wastes bandwidth too... by Anonymous Coward · · Score: 0

      ...but, Google said Defender is best!

      https://it.slashdot.org/story/17/02/01/1334219/google-chrome-engineer-says-windows-defender-the-only-well-behaved-antivirus-cites-tons-of-empirical-data?sdsrc=rel ...and MS said Windows 10 is the most securest Windows evar!

      https://tech.slashdot.org/story/16/11/14/0721206/microsoft-says-windows-10-version-1607-is-the-most-secure-windows-ever?sdsrc=rel

    5. Re:Wastes bandwidth too... by Njovich · · Score: 2

      SMB is basically either block level or streaming. It doesn't just copy the entire file over the network the moment you access it, unless your system requests all of the file. Depending on the server, connection and file request configuration, the received data can usually be cached. You don't want it to always cache, because sometimes you may actually need updates in data. I would hazard a guess and say that the exploit relies on a situation where caching is off.
      Then you get the following issue: defender cannot use the calls the executable makes for reading the file, because it needs to scan the whole file at once, so it just requests the whole file. However, the executable will make it's own read calls, so the only way to reuse the data is using the aforementioned caching. Which needs to be off in some situations.
      It doesn't typically get sent twice, and there is also not an easy fix without breaking lots of people.

    6. Re:Wastes bandwidth too... by Anonymous Coward · · Score: 0

      If that's the best you have, you should just stfu, you aren't helping.

    7. Re:Wastes bandwidth too... by tlhIngan · · Score: 4, Insightful

      That doesn't make any sense. The system should just download the file, give it to Windows Defender, wait for its reply, and then execute the file if it's OK. Or, if you can't trust the non-defender part of the system, ask Defender to download the file, then let Defender hand it over to the system to execute. No matter how you do it, a single download is faster AND more secure.

      Why download a file twice? Bandwidth is too cheap nowadays, I suppose?

      Your way makes perfect sense... if you believe a security product is integrated into the OS itself.

      However, Microsoft is under different rules, and Windows Defender must be disable-able in case the user decides they want to use a different security software product. Otherwise imagine the hell Kaspersky, Symantec, etc. will raise. Heck, Windows 10 updates that disable those products until updated already spurred lawsuits.

      SO Windows Defender must be able to act like any other program would, and in this case, when you want to open a file, the kernel hook fires and Windows Defender scans the file first before letting Windows open the file.

      About the only way around this would be to have the PE Loader be hookable so Windows Defender and other software can scan the file image after loading into memory but prior to execution. Assuming that's possible, given how the PE Loader might not actually read the entire file at once into memory, but instead just skip about when reading. In this case perhaps the hook might be near the very end before it jumps.

    8. Re:Wastes bandwidth too... by Anonymous Coward · · Score: 0

      Yes there is. If Windows Defender chooses to scan the file, then the file has to be downloaded in its entirety before it even starts to run. In that case, rather than lazy-load the executable from a new connection, the kernel can just lazy-map it to the cached version it already downloaded for scanning.

      Windows Defender should behave like a validation step rather than a separate application, because its purpose is to validate the contents of an executable before it is run, not the file from which it is run.

      I don't see how making Windows Defender behave correctly would break caching rules. Those rules describe how subsequent requests to the same file should be handled, not how applications decide to validate the data they receive.

    9. Re:Wastes bandwidth too... by KiloByte · · Score: 4, Informative

      Windows does have an equivalent of ptrace, so how exactly is this a problem? You hook onto the process that's being created (on Windows there's no separation between fork and exec) having it start as traced. It gets mmapped, you check whatever got loaded into that process' address space, detach the trace.

      It'd also have double the performance when the file fits into memory: no need to request the file over network twice. And if it doesn't fit, well, page cache is perfectly equipped to deal with this.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    10. Re:Wastes bandwidth too... by Njovich · · Score: 1

      You seem to be confusing a couple of things, but your overal message, to just force the use of the defender scans, is true (I did mention it in the previous comment, but perhaps I dismissed it too easily). There are some things to keep in mind:
      - Might break compatibility with some use cases Microsoft needs to support
      - It might be difficult to do this only for some kind of files like executables
      - There may be workarounds like exhausting the cache in either space or time which would make the fix useless
      Or god knows what other issues Microsoft is facing in their ancient SMB codebase.
      I guess it's good to question Microsoft over this, but it's probably not helpful to come up with magic handwaving solutions. If it was really simple, I'm sure they would have done it already.

    11. Re: Wastes bandwidth too... by Anonymous Coward · · Score: 0

      I suspect their ancient SMB code base is most of the problem here honestly. Although with the reliance on it, I'm not entirely sure you could really do much at this point about it short of trash it and go to something brand new.

      Maybe a simpler solution here would be to have the system request both transfers and then pass one off to Defender. That way the SMB server really couldn't tell the difference between which one was a Defender request and which one was a kernel request. I don't really know enough about this honestly to say how feasible that would be though.

    12. Re:Wastes bandwidth too... by Anonymous Coward · · Score: 1

      Uh.. it still makes sense even if you have a third party checking the files. You just set up a system for products to become registered as the file checking agent, and instead of sending the file to defender, you send it to the 3rd party agent before executing.

    13. Re:Wastes bandwidth too... by Anonymous Coward · · Score: 0

      I think is an Explorer thing, the windows explorer executes every file to get it's icon and meta-data from the PE header.
      I don't think this is done when using the command-line or using a file browser not based on windows explorer.

  3. Fucking Windows 98! by Anonymous Coward · · Score: 0

    n/t

  4. No systemd by Anonymous Coward · · Score: 1

    Everyone on windows needs to take this opportunity to transition to a systemd free version of Linux.

    1. Re: No systemd by Anonymous Coward · · Score: 0

      Overblown.

      Executable still runs in userland, and any company worth their salt would not allow a foreign computer into their Network or let alone allow users with execute bit

    2. Re: No systemd by Anonymous Coward · · Score: 1

      It requires you to not treat a computer as a magic wish device.
      That should mitigate some of the issue with social engineering.

    3. Re: No systemd by WorBlux · · Score: 1

      Doesn't necessarily need to be and executable. A malicious word or flash document would probably work just fine in most cases. A large company is probably going to firewall SMB to unkown remote sites, but smaller companies certianly wouldn't.

    4. Re: No systemd by Kaenneth · · Score: 1

      AKA it's harder to use.

  5. Cue the "Has Microsoft Changed" Headlines by ohnocitizen · · Score: 1, Offtopic

    Microsoft declined to patch the bug, considering it a "feature request."

    Someone should pair this with the article asking if Microsoft has changed their ways because they're embracing Linux.

    1. Re:Cue the "Has Microsoft Changed" Headlines by Anonymous Coward · · Score: 0

      Meanwhile I'd like to know who requested this "feature".

  6. I did by Anonymous Coward · · Score: 1

    Decided to give good old Slackware a try. It worked perfectly. I wasn't left with a crippled system either. Some Debian dickheads have decided to not include vital tools like traceroute or nslookup. Kind of difficult to install that package when your route is fucked up. Which brings me to the next point, the route command. It's worked the same way just fine for decades now. In the past you could do "route add default x.x.x.x" not so anymore. The syntax changed for no reason at all.

    So in short if you want Linux the way it used to be before these systemd idiots took a shit all over everything then try Slackware.

    1. Re:I did by WorBlux · · Score: 1

      Um, no. You're confusing the BSD and GNU versions of the command. I've found references of "route add default gw x.x.x.x " at least back to 2006. While the latest FreeBSD manual refers to your syntax.

  7. Not a big deal by The+MAZZTer · · Score: 1

    I might side with MS on this one, though the response doesn't make them look good. The hardest part of this will be getting the user to try and launch the program in the first place. It may be a lot easier just to tailor the malware to evade detection when scanned.

    First of all, you can't just make a link the user can click. Chrome and Firefox both block links from the internet that point to the local PC or SMB shares (not sure what IE/Edge do). Even if you get the user to enter the url manually, Chrome and Firefox won't run files but will download them (and tell the virus scanner to scan it), which is a different process from running it directly off the SMB. Chrome even will warn the user if they try to download dangerous file types (such as EXE) from a SMB share.

    IE and Edge both open File Explorer to a share if you get the user to type an address in the address bar. But to their credit, if the address is to a file rather than a folder they seem to ignore the entry.

    You could potentially find some desktop application that linkifies UNC paths sent to it and get users to click on your malicious path, but I can't imagine any would do so, I can't see how it would be useful. The only one I know of is Lync/Skype for Business, which is of course local network chat, not internet chat.

    Windows will alert you if you try to open a dangerous file type off of a SMB share. So the user would have to bypass this dialog.

    And of course you're assuming they're running Windows Defender. I would think Windows still would fail to pass the proper binary to any other virus scanner that might have its hooks into Windows, but other scanners could potentially do things like scan the process when it starts to catch the malware.

    If you can convince the user to do all this you can probably exploit them some other way just as easily, I'd think.

    1. Re:Not a big deal by Anonymous Coward · · Score: 1

      Windows will alert you if you try to open a dangerous file type off of a SMB share.

      This.

      IIRC Windows will scream holy hell if you try and execute any file or script (even thru command prompt) on a SMB share that is not identified as part of your domain network with the same FQDN, or on the local network.

      You can try this yourself - map a drive to share on an IP address e.g. if Z: = \\10.10.10.10\share_name and you try to execute anything, you should get one of those "bitch is you crazy?" dialog boxes with a big red X icon. You can click OK to proceed, but at your own risk.

    2. Re:Not a big deal by itsme1234 · · Score: 1

      Yes, this is what I wanted to post too - this attack is much harder than just making the malware not trigger the defender.

      HOWEVER I wonder who came up with this "brilliant" idea, I was always in my head operating on the assumption that "live" scan operates by intercepting the call of the application and analyzing the data there. This idea of "let me go outside and see what this file is" for this purpose is not only crazy and a small security gap but also a performance killer.

    3. Re:Not a big deal by Anonymous Coward · · Score: 1

      Well, yeah, if you got inside the network (e.g. Deloitte and Equifax) then there are probably easier ways to expand your control, but it just shows that the MS ecosystem is as waterproof as a rusted out colander. If they fix one set of common exploits, then there are always others to exploit.

    4. Re:Not a big deal by Anonymous Coward · · Score: 0

      Microsoft: "Insecurity through leaky abstractions." (TM)

    5. Re:Not a big deal by StormReaver · · Score: 2

      Windows will alert you if you try to open a dangerous file type off of a SMB share. So the user would have to bypass this dialog.

      That made me laugh. Most Windows users will answer yes to just about any question that stands between them and any malicious program they are trying to run.

      This flaw is critical, and Microsoft's response shows how little it still cares about security.

    6. Re: Not a big deal by Anonymous Coward · · Score: 0

      I'm not inclined to blame Microsoft or any other OS developer for user stupidity. At some point it's on the user to actually take some responsibility for their actions. If you're the type to just click through warnings without taking a minute to understand them, it doesn't matter if those warnings are provided by Windows, Linux, OSX, Android, etc.

      We sort of have this habit of blaming Windows for things that are not specifically Windows problems. If Linux had 80%+ of the world's user base, you'd be seeing the same types of issues because you'd be seeing the same idiot users trying to do stupid shit.

    7. Re:Not a big deal by bignetbuy · · Score: 1

      Nonsense. The OS has done its job. If the end-user chooses to bypass a security warning, the onus is on the end-user, not the operating system.

    8. Re: Not a big deal by Bert64 · · Score: 1

      Windows gets blamed because it's always been marketed as being suitable for those exact kinds of users who are stupid enough to fall for this sort of thing.
      The fact is, general purpose operating systems are simply not suitable for most users, they are tools for geeks and require specialised knowledge to operate correctly.

      So yes, Microsoft get blamed because they have knowingly marketed an unsuitable tool to users who are unqualified to use it.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    9. Re: Not a big deal by david_thornley · · Score: 1

      Thing is, users will predictably do some things. Calling it "user stupidity" is only a way to try to duck the blame. Microsoft makes software that is intended to be run by humans, not any other form of intelligent life. Most of these humans have used Windows, and have acquired habits that tend to work on Windows. So, Microsoft managed to train these humans to ignore warnings somehow, and they're completely blameless?

      It isn't the fault of the human race that we're human. It isn't the fault of humanity if a certain UI doesn't work with humans, or tends to form a habit that degrades security. It's the fault of those designing the UI. Similarly, Communism would be an excellent economic system for various forms of intelligent life I can imagine, but we all know how bad it is when applied to humans.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    10. Re: Not a big deal by Brockmire · · Score: 1

      I'd pay up to $10 for an app that replaced Windows error/question messages with ghetto slang. Instead of progress bars, "ain't nobody got time for that".

  8. "feature demand" from NSA/CIA by Anonymous Coward · · Score: 1

    is most likely what it is.

  9. Feature Request by Anonymous Coward · · Score: 0, Insightful

    Good to see that MS is patriotically working the US government to implement NSA requests

  10. I am still mad by Gabest · · Score: 1

    It deleted a crack for a game that I had for more than twenty years on my network storage, from inside an archive file.

    1. Re:I am still mad by Anonymous Coward · · Score: 0

      It doesn't do anything automatically unless previously told to do so. The default action Windows Defender takes when it finds something is to bring up a window stating details about what it's found, and what the user can do about it (quarantine, delete or allow). So unless you previously changed the default to automatically delete, nothing will happen. Also, this is the Internet. Cracks are incredibly easy to find, even for a 20+ year old game.

      This just feels like a rant to get karma because everyone here irrationally hates Windows and never blames their own ignorance.

    2. Re:I am still mad by Mal-2 · · Score: 1

      BitDefender used to do that shit to me ALL THE TIME, but when the final straw was when it decided my development environment was malicious because it contained the gcc++ compiler, and utterly broke it. At least Windows Defender doesn't pop up over something that common.

      --
      How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
    3. Re:I am still mad by Ambassador+Kosh · · Score: 1

      I had Bitdefender start flagging the software I was compiling with the intel compiler using aggressive optimizations. It took a bit to figure out what had gone on. I had compiled the software without errors but the binary and shared lib where missing. I thought originally it was my dev environment screwing up. When I figured out it was bitdefender and that others had reported the same problems I dumped it. If you mark the software I just wrote and compiled as malicious I don't need your faulty AV software. The software was just an HPC chemical simulator.

      --
      Computer modeling for biotech drug manufacturing is HARD! :)
    4. Re: I am still mad by Anonymous Coward · · Score: 0

      Bullshit. CCleaner was uninstalled on all my home PCs without any warning or notice a few months ago along with every cracked uplay_loader.dll and Steam_api.dll file. Half of my games instantly stopped working since the cracked dlls they depend on vanished after a Windows Update. The only resolution was to disable Windows Defender in Safe Mode and then re download all my games all over again

    5. Re: I am still mad by Brockmire · · Score: 1

      I've seen this with older XP WGA crack and an office crack. It was definitely unexpected, automatic, and I certainly didn't fucking tell it to do that automatically any time, ever. Don't be so sure to deny shit you can't possibly disprove.

  11. Windows Defender has a bug because... by zifn4b · · Score: 4, Insightful

    For Illusion Gap to work, the attacker must convince a user to execute a file hosted on a malicious SMB server under his control.

    Ticket Description: Windows Defender is vulnerable to human stupidity
    Acceptance Criteria: Show that humans are no longer stupid
    Priority: High

    Chop chop developers!

    --
    We'll make great pets
    1. Re:Windows Defender has a bug because... by fibonacci8 · · Score: 1

      Ticket Description: Windows Defender is vulnerable to human stupidity
      Acceptance Criteria: Show that humans are no longer stupid
      Priority: High

      Chop chop developers!

      Ticket Description: Windows Defender duplicates work in a way that increases the number of unnecessary potential vulnerabilities by one.
      Acceptance Criteria: Please, stop foisting levels of trust on third party sources for your users without consent.
      Priority: High enough that it makes the competition look good in comparison

      It's incredible how different a situation appears when the goal is an improvement for everyone, rather than just vaguely blaming everyone involved.

      --
      Inheritance is the sincerest form of nepotism.
    2. Re:Windows Defender has a bug because... by Anonymous Coward · · Score: 0

      Yes. The idiot clicking the link in an email can't do this. He isn't (shouldn't be) reading email on the SMB server. Only IT should be have the ability to run executables on the server.

    3. Re:Windows Defender has a bug because... by Anonymous Coward · · Score: 1

      Unfortunately, this bug doesn't require user stupidity.

      Lets say that you have a network share with documents on it. Usually you fire up your network share, navigate to the folder, open a document, and start work - a normal process for a good percentage of office workers.

      Unfortunately I've compromised the remote machine. I've replaced the documents with executable code, knowing that you're already de-sensitised to any warnings as you see them every time you open a document that contains a macro, which is most of the time in corporate-land.

      But wait - you've actually taken in the last 30 years of advice and are running up to date antivirus software which checks the files or programs you open for my malicious code, so I've been foiled! Except that your AV program is - for some inexplicable reason - requesting it's own copy of the file to check, and I can send it basically whatever I like, whilst sending you my nasty payload.

      Now clearly the AV program has the hooks in place to preempt opening a file, so why is it asking for a copy from the remote source and then allowing the process to proceed to request one again, rather than passing the checked file directly on to the initiating process? It's poor design from both a resource use and security point of view, and smacks of both laziness and incompetence, either of which are a bit worrying in a security product.

    4. Re:Windows Defender has a bug because... by PPH · · Score: 1

      knowing that you're already de-sensitised to any warnings as you see them every time you open a document that contains a macro

      Assuming users even know or care about these warnings

      --
      Have gnu, will travel.
  12. Low threat profile. by CptLoRes · · Score: 2

    The technique -- nicknamed Illusion Gap -- relies on a mixture of both social engineering and the use of a rogue SMB server.

    This sounds more like a problem with an inside job from an disgruntled worker then a realistic threat.

    1. Re:Low threat profile. by Anonymous Coward · · Score: 0

      I don't understand the distinction.

      Can you please cleanly differentiate these two categories of attackers?

    2. Re:Low threat profile. by Anonymous Coward · · Score: 0

      A Burglar Vs A cleaning lady.

  13. "The problems occur after the user double-clicks" by Anonymous Coward · · Score: 0

    Ha! My system is set up to use SINGLE clicks.. Check mate, hackers.

  14. Same old by dskoll · · Score: 1

    Nothing but a venerable TOCTOU.

    1. Re:Same old by Anonymous Coward · · Score: 0

      Nothing but a venerable TOCTOU.

      Nope.

      TOCTOU requires it to be the same data source being checked, but the data changed after verification. In this case, the executable is downloaded twice, so there are two sources. The actual code to be executed is never checked at any point and is malicious to begin with, while something else that is completely unrelated from an execution standpoint is vouching for it, and is never modified.

      Heck this even bypasses the farce of digital signatures* because the signature to be checked is on a different executable. Anyone called the Xbox hackers yet? I'm sure they'd love to hack a Xbox and not even need to bother with security.

      This is a third party trust issue created by a bone headed idiot programmer. If Microsoft needed to support an old use case, they needed to make restoring the original behavior a registry / GP option and have it turned off by default. Instead they've left people vulnerable to a very egregious security flaw that violates basic security principles.

      * Farce because digital signatures are a TOCTOU issue. The signature is checked prior to the loader remapping or linking the text sections, and isn't verified during execution. So once the code is running, the digital signature does no good, as it's no longer relevant.

    2. Re:Same old by dskoll · · Score: 1

      You are splitting hairs. It's the same principle: what gets used isn't what was checked.

  15. Not worried about this myself by Anonymous Coward · · Score: 0

    I just think this requires a bit too much what if's to worry too much about it. I've basically used just Security Essentials and now Defender for years without issues. I know some probably are not so in tune with being aware and identifying security issues. Those in that category need more robust protection. But nothing is 100% and being more educated of the risks does help eliminate some of that risk.

  16. Major design flaw in windows defender by Anonymous Coward · · Score: 0

    This shows that whoever designed windows defender is brain dead.
    Windows defender should scan the actual object being loaded by the kernel, instead of doing stupid things like detecting an execution and then requesting a file with similar name.
    I could understand if this was symantec and they said, well there is no API for that.
    But this is microsoft. They can create a fucking API just for windows defender.
    In any case, if you can get someone to execute a file, how are they not fucked already?
    Just use one not detected by windows defender.

  17. Ideas Ideas by Anonymous Coward · · Score: 0

    Reality is defined by that which there is some type of introduction. Now What ...(?)...

  18. Windows ME vs. Windows PE by Anonymous Coward · · Score: 0

    Remember how Windows ME was supposed to be pronounced?

    1. Re:Windows ME vs. Windows PE by Anonymous Coward · · Score: 0

      I don't, actually. Also, this story belongs on worsethanfailure

  19. If Windows Defender is vulnerable, are others? by ebrandsberg · · Score: 1

    How do other anti-virus programs handle this scenario--some comments were saying this behavior were as a result of defender having to do nothing more than others could do, so this implies the hooks necessary to handle this correctly may not be there. Do others also download a separate copy? Is it that their copy can't be differentiated while the defender copy can? What makes this defender specific?

  20. "malicious SMB server"? by Anonymous Coward · · Score: 0

    Yet another reason for ISPs to block SMB traffic at their boundaries.

  21. dialog box indoor plumbing by epine · · Score: 1

    Bathroom sinks used to have separate taps for hold and cold.

    Now we have single-lever controls that combine rate with temperature, by interpolating uniformly between hot and cold. Gasoline pumps do something similar to deliver various octane levels from a small number of distinct feed stocks.

    There's no reason, therefore, that a bathroom can't have three different feed stocks: hot (guaranteed no Ebola), cold (guaranteed no Ebola), and fountain of youth (no safety standard mandated).

    Of course, you wouldn't want people rinsing their toothbrush with FoY without their consent, seeing as there might just be a tiny health risk.

    So, for end-user safety, when you crank the level hard to the left, a red light flashes, there's a momentary buzz, and a few ounces of extra lever resistance which the user must deliberately overcome.

    Good design?

    You be the judge.

    Another approach would be to never allow any byte stream into a page with the execute bit set that hasn't been scanned beforehand. This would be like not piping suspect FoY into the bathroom in the first place. I know, I know. Too dull for words.

  22. Where's the "AI" peeps? by CaptainDork · · Score: 1

    Those fanbois who push AI should be all over this.

    Talk about machine learning!

    Something like this should only happen once, then a fix should be propagated out.

    I'm being facetious, of course. AI can't handle a job like that.

    --
    It little behooves the best of us to comment on the rest of us.
  23. Not only Defender by janoc · · Score: 1

    Actually the Windows Firewall has a similar problem too.

    You launch an application, it starts executing and communicating over the network - while the firewall pop-up asking the user for permission to access network is up. However, the application is communicating already!

    This is easily visible with Wireshark, for example.

    It boggles the mind why Microsoft thought that this is actually an useful feature ...

    1. Re:Not only Defender by im_thatoneguy · · Score: 1

      Firewalls should by default assume applications executed by the user are valid since UAC is specifically designed to handle this.

      Every PC should be behind a firewall already at the gateway/router level. So the only thing you're exposing yourself to is an internal network threat momentarily. The alternative is to by default block all user-executed applications on the PC and 99.9999999% of the time pissing off users. Pissed off users do one thing with near certainty: they disable the feature annoying them.

      Better to expose users to internal threats for 3-4s on the off the chance they don't want the application through the firewall than to have nobody run a firewall ever.

    2. Re:Not only Defender by david_thornley · · Score: 1

      Firewalls should by default assume applications executed by the user are valid since UAC is specifically designed to handle this.

      Assuming the application has been compromised, the user will allow execution through UAC (if needed) because the user wants to run the program and thinks it's OK, and then the firewall assumes that, since the user launched a program without knowing it's been compromised, and lets all the packets through.

      How many PCs are behind an external firewall? It may be that they should, but every time I've set up a router at home that had firewall capability, that capability was in the "advanced" section, and the average person would never see it.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  24. Interesting but low probability. by Darkness+Of+Course · · Score: 1

    One wonders how unaware the average W* user is. No Linux user would do that, I doubt if it's an OS X thing. But even assuming the worst for W* users this has to be a small attack vector.

    The piece reads well, but convincing someone to execute a remote file seems like a stretch. Of course, if MSFT would address the issue by comparing the two files it would nip this 'feature' in the bud.