Matousec Discloses Critical Vulnerability in ALL HIPS

Check Point response to: KHOBE – 8.0 earthquake for Windows desktop security software

 

FYI, the blog post of original researcher http://www.gentlesecurity.com/blog/andr.php

 

Nice find .

 

Fax, is this just an issue for 32-bit operating systems? Because I'm running ZAES 2010 right now on Vista 64, and the "Enable Timing Attack Prevention" option is greyed-out and can't be checked. Just curious...

Thanks!

 

It is actually been already discussed here.....
The 64bit OSs with patchguard have not been tested by Matousec nor are they affected by the vulnerability. You have to disable the patchguard protection.

One more evidence that this vulnerablity is known since sometime, nothing new was undercovered and the test has been perfomed not using advanced features available in some security solutions = Ad-hoc distorted testing to get some visibility

 

Microsoft: MSE safe from Windows kernel hook attack

 

Finally some vendors are starting researching the issue and fixing it.
I see nothing wrong if matousec can give "the pie" already cooked for money.I mean you get money for your work usually .
The issue beeing publically revealed can be researched and fixed by the vendor itself .Is just a question of will and respect towards their users.
It seems Zone Alarm moved quick ,i like that.
Now lets see the others

 

Moved quick, LOL?! The option is there since version 9. ie. August 2009

 

and several other vendors talk about it
http://www.thetechherald.com/article.php/201019/5611/Security-vendors-respond-to-Matousec-research

 

I wish to have very soon an answer from Comodo, Online Armor, Malware Defender.

 

2/3

http://support.tallemu.com/vbforum/showthread.php?t=13015

http://forums.comodo.com/news-annou...e-to-a-test-t56086.0.html;msg394697#msg394697

 

OnlineArmor's thread about this vulnerability has been responsive but not very encouraging. Thus far they indicate an inability to replicate the issue.

I tried to post a discussion of this issue in OA's forum but I was inhibited by the fact that OA's forum prohibits all external links. (They do allow links just as long as the links are broken, non-functional hppx links. Sigh)

Here is the gist of what I tried to post there...

 

ESET also posted about it in there blog: http://www.eset.com/blog/2010/05/11/khobe-wan-these-arent-the-droids-youre-looking-for

 

"KHOBE extortion"

http://anti-virus-rants.blogspot.com/2010/05/khobe-extortion.html?utm_source=feedburner&utm_medium=twitter&utm_campaign=Feed%3A+Anti-virusRants+%28anti-virus+rants%29

http://blog.gdatasoftware.com/overview/article/1654-khobe-no-problem.html

 

So what are we to believe regarding GeSWall's ability to handle this vulnerability?

 

Hi bellgamin, thanks for your answer. I already read some of your linked articles, not yet these of GesWall blog. The power of Wilders Forums is also the continuous exchange of opinions, ideas, links... between the users.

 

The blog post by G Data is especially good. Seems that Matousec is doing itself more harm than good with the way they handled this vulnerability. And this way they certainly aren't building good reputation in the AV community either.

 

Of course the affected software vendors will try to make you think that Matousec (or pretty much any other criticizer) is "totally wrong" (or at least "partially wrong", in case the arguments of the criticizer are strong, like in this case) and that nothing of importance was demonstrated on the reported issue...

...until they fix the reported issue. Then, they'll start to brag about "one more kind of protection offer" and act like their previous opinion that "nothing of importance was demonstrated by the issue" simply never existed.

Boring. Already happened on several different occasions.

 

Though I agree with you regarding security vendors, I must say that what Matousec has done - making the vulnerability and the method for exploiting it public knowledge, and then charging for info relating to a fix - basically amounts to a kind of extortion, and is IMHO very unethical. If they wanted to make money off of this vulnerability, they should have at least kept it out of public site so the script kiddies couldn't get their filthy hands on it.

 

It seems to always be that way.
In regard to the other test when PC Tools Firewall Plus went down so suddenly, the PC forum acknowledges the problem in a mature way. Seldom do I see that done. The vendors are always in the defensive mode and it is not a legit test until they do well.
Regards,
Jerry

 

I presume you mean someone from PC Tools acknowledging this problem on their forum? If so, do you have a link?

 

http://www.pctools.com/forum/showthread.php?t=66197

http://www.pctools.com/forum/showthread.php?t=66167

I think it is a pretty objective evaluation of the tests, and the hole in PCT. It does seem to me that the function of a firewall does not include start up.

Regards,
Jerry

 

I approve Matousec's decision to open the vulnerability codes to the public. I'm pretty sure the 'Bad guys' are as well educated as security vendors researchers and Matousec's team. I'm not talking about amatuers whos skills spreads not futhers than adding a string into /Run/RunOnce registry hive or using a malware kit - most probably they just won't understand what's all this about. It's good for users as it force vendors to look for solution of the problem. Let vendors have a worm in their tongues it just makes'em move faster and work harder and thats what their grumbles are. 8-D

 

Thanks! Such responses are refreshing from security vendors.