In his latest Project Zero blog post Google researcher Tavis Ormandy writes about flaws found in Kaspersky AV - also complementing them on their extremely fast turn around to close up those bugs. Then he shows a so called dark web page where AV exploits are being sold. http://googleprojectzero.blogspot.com/2015/09/kaspersky-mo-unpackers-mo-problems.html Just interesting reading for AV enthusiasts. Just to add that Ormandy is finding that malware is using the hooks in the AV to deliver its package.
Yes and the AV can apparently be used to plant malware because of their system hooks. There needs to be more anti exploit capability built into the cpu and kernels to avoid these situations. http://arstechnica.com/security/201...y-av-can-make-you-more-vulnerable-to-attacks/
Just like any software running on machines AVs can also increase attack surface. Since AVs have highest privileges, that's even more problematic than other software (like browsers) being exploited. As long as those exploits are used only in targeted attacks, ordinary users should not worry about it. OTOH if you practice safe computing you probably don't need to run real-time AV anyway.
From the above article: Ormandy recommended that AV developers build security sandboxes into their products that isolate downloaded files from core parts of the computer operating system. Well, some AV products already have them. Eset's advanced heuristics uses a virtual sandbox. I believe Avast also now has one. Perhaps he was referring to installed apps that were downloaded? This is something that should have been part of Windows OS since day one. Think Unix and it's protégée, Linux.
He said he was going to be looking at a couple of other AVs in the near future though I can't find that post. Here's a couple of posts about ESET from July and a recent one about Avast He gets a hold of the vendor right away and lets them know they have a problem. His twitter feed is very interesting to follow. Tavis Ormandy @taviso Jul 1 Another curious ESET bug, modifying the IAT at runtime can break out of the emulator. https://code.google.com/p/google-security-research/issues/detail?id=470… Tavis Ormandy @taviso Jun 30 Remote heap overflow in ESET parsing symbian installation files (!?!) https://code.google.com/p/google-security-research/issues/detail?id=466 Srsly Avast? If you're gonna mitm chrome's SSL at least get an intern to skim your X.509 parsing before shipping it. https://pbs.twimg.com/media/CPwO10HUsAAJ96F.png
Eset fixed those two bugs real quick. One they already knew about. I believe Avast is only one among many, Eset and Kapersky and two others I know of, that have SSL protocol scanning options. As has been previously pointed out by a number of security entities, none of the vendors are doing it properly. Actually, Avast was one who came closest to getting it right ..................... The whole subject can be summarized as "which is the lesser of two evils?"
The feed is very interesting to follow though don't you agree? Tavis also has a blog 'project zero'. It's like Google has an employee whose job is to help AV vendors. Pretty cool.
This sounds a bit weird, virtual sandboxes won't do anything to block or mitigate exploits in security software itself. I think Ormandy meant that sandboxing must be build into the AV, to harden the AV against attacks. Similar to the Chrome and Edge sandbox.
Both the Eset issues were memory related vulnerability issues; heapspraying and IAT modification. Sandboxing would not have prevented those attacks.
Could EMET help here, with the memory related vulnerability issues... or would that just cripple the OS entirely? How would AVs work on an OS if they employ memory vulnerability tweaks such as the ones mentioned above or ones mentioned on the EMET GUI? We already allow AVs to run rampant on our OS (even with custom settings tailored to individual needs), when is enough really enough? The more I read about this stuff, the more I am convinced that application black/white listing along with DLL and drivers are the way to go...
Yes I understood it that way also. But this would be much harder as AVs run with admin and system privileges. OTOH Chrome runs with medium and untrusted privileges. Also if AV's driver gets exploited there could probably be no sandbox built in AV that could contain that.
See also the last few slides(Recommendations for AV companies) from the presentation Breaking Antivirus Software: https://www.wilderssecurity.com/threads/breaking-av-software.362274/
Antivirus software could make your company more vulnerable http://www.pcworld.com/article/3020...-could-make-your-company-more-vulnerable.html
Interesting how the author never mentions the number of past and present whitelisting bypasses in existence: One technology that could either complement or replace antivirus programs entirely in high-risk environments is application whitelisting, which only allows pre-approved applications to run on a computer. The U.S. National Institute of Standards and Technology recently encouraged the use of such protection mechanisms, which are available in some operating systems by default, and even released a guide with recommended practices. The bottom line is every complex piece of software developed has vulnerabilities. The most common are backdoors that were inserted into the coding for test purposes and that were not removed prior to implementation. The AV industry existence relies on its delivery of reliable software. Just ensure you have a product installed from a reliable, AV lab test verified, and time proven vendor.
