| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9B9E7EA67E1B1342B2D25F3FD1B3293003920F41@BE35.exg3.exghost.com> Date: Thu, 13 May 2010 17:16:52 -0400 From: "Larry Seltzer" <larry@...ryseltzer.com> To: "Marsh Ray" <marsh@...endedsubset.com>, "Juha-Matti Laurio" <juha-matti.laurio@...ti.fi> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: KHOBE - 8.0 earthquake for Windows desktop security software Actually, a consensus is developing that their claims are greatly exaggerated. The SSDT hooking they cite is only used on Windows XP (and server 2003) and earlier. Starting in Vista SP1 Microsoft offered APIs that were good enough that AV vendors didn't need to hook the SSDT and could co-exist with Patchguard on 64-bit systems (the APIs are also on 32-bit Windows). It's not even clear that Matousec actually tested all 35 of those products to the point of exploiting them; all they did was to confirm that they used SSDT patching (on XP). I asked them for comment on this on the record and they didn't reply. More than one antivirus vendor has said that their products are not vulnerable to the technique. It's hard to say who is telling the truth, but given all their overstatement matousec doesn't deserve the benefit of the doubt. Larry Seltzer Contributing Editor, PC Magazine larry_seltzer@...fdavis.com http://blogs.pcmag.com/securitywatch/ -----Original Message----- From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Marsh Ray Sent: Thursday, May 13, 2010 5:06 PM To: Juha-Matti Laurio Cc: full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] KHOBE - 8.0 earthquake for Windows desktop security software Nice research! Thanks hmatousec.com for putting up the hard work of testing all those products. Anyone else notice the connection with the Systrace badness from a while back? http://www.watson.org/~robert/2007woot/ 'Exploiting Concurrency Vulnerabilities in System Call Wrappers' Perhaps Windows AV developers need to get out more. - Marsh On 5/13/2010 3:04 PM, Juha-Matti Laurio wrote: > Some AV vendors have posted their 'is-the-game-over-or-not' type > response. > > F-Secure: http://www.f-secure.com/weblog/archives/00001949.html > > Trend: > http://countermeasures.trendmicro.eu/you-just-cant-trust-a-drunk/ > > Sophos: > http://www.sophos.com/blogs/gc/g/2010/05/11/khobe-vulnerability-game-sec urity-software/ > > ESET: > http://www.eset.com/blog/2010/05/11/khobe-wan-these-arent-the-droids-you re-looking-for > > Juha-Matti > > Jeffrey Walton [noloader@...il.com] kirjoitti: >> >> Hi , Also known as a TOCTOU binding flaw (thanks GDM). >> http://nob.cs.ucdavis.edu/bishop/papers/1996-compsys/racecond.pdf >> (dated 1996). >> >> Jeff >> > On Wed, May 5, 2010 at 3:14 AM, www.matousec.com - Research > <researchmatousec.com> wrote: >>> Hello, >>> >>> We have found number of vulnerabilities in implementations of >>> kernel hooks in many different security products. >>> > --clip-- > > _______________________________________________ Full-Disclosure - We > believe in it. Charter: > http://lists.grok.org.uk/full-disclosure-charter.html Hosted and > sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists