lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 13 May 2010 17:16:52 -0400
From: "Larry Seltzer" <larry@...ryseltzer.com>
To: "Marsh Ray" <marsh@...endedsubset.com>,
	"Juha-Matti Laurio" <juha-matti.laurio@...ti.fi>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: KHOBE - 8.0 earthquake for Windows desktop
	security software

Actually, a consensus is developing that their claims are greatly
exaggerated.

The SSDT hooking they cite is only used on Windows XP (and server 2003)
and earlier. Starting in Vista SP1 Microsoft offered APIs that were good
enough that AV vendors didn't need to hook the SSDT and could co-exist
with Patchguard on 64-bit systems (the APIs are also on 32-bit Windows).
It's not even clear that Matousec actually tested all 35 of those
products to the point of exploiting them; all they did was to confirm
that they used SSDT patching (on XP). I asked them for comment on this
on the record and they didn't reply.

More than one antivirus vendor has said that their products are not
vulnerable to the technique. It's hard to say who is telling the truth,
but given all their overstatement matousec doesn't deserve the benefit
of the doubt.

Larry Seltzer
Contributing Editor, PC Magazine
larry_seltzer@...fdavis.com 
http://blogs.pcmag.com/securitywatch/

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Marsh
Ray
Sent: Thursday, May 13, 2010 5:06 PM
To: Juha-Matti Laurio
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] KHOBE - 8.0 earthquake for Windows
desktop security software


Nice research! Thanks hmatousec.com for putting up the hard work of
testing all those products.

Anyone else notice the connection with the Systrace badness from a while
back?
http://www.watson.org/~robert/2007woot/
'Exploiting Concurrency Vulnerabilities in System Call Wrappers'

Perhaps Windows AV developers need to get out more.

- Marsh


On 5/13/2010 3:04 PM, Juha-Matti Laurio wrote:
> Some AV vendors have posted their 'is-the-game-over-or-not' type
> response.
> 
> F-Secure: http://www.f-secure.com/weblog/archives/00001949.html
> 
> Trend: 
> http://countermeasures.trendmicro.eu/you-just-cant-trust-a-drunk/
> 
> Sophos: 
>
http://www.sophos.com/blogs/gc/g/2010/05/11/khobe-vulnerability-game-sec
urity-software/
>
>  ESET: 
>
http://www.eset.com/blog/2010/05/11/khobe-wan-these-arent-the-droids-you
re-looking-for
>
>  Juha-Matti
> 
> Jeffrey Walton [noloader@...il.com] kirjoitti:
>> 
>> Hi , Also known as a TOCTOU binding flaw (thanks GDM). 
>> http://nob.cs.ucdavis.edu/bishop/papers/1996-compsys/racecond.pdf
>> (dated 1996).
>> 
>> Jeff
>> 
> On Wed, May 5, 2010 at 3:14 AM, www.matousec.com - Research
> <researchmatousec.com> wrote:
>>> Hello,
>>> 
>>> We have found number of vulnerabilities in implementations of
>>> kernel hooks in many different security products.
>>> 
> --clip--
> 
> _______________________________________________ Full-Disclosure - We
> believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists