Matousec Discloses Critical Vulnerability in ALL HIPS

Discussion in 'other firewalls' started by ace55, May 5, 2010.

Thread Status:
Not open for further replies.
  1. Those won't provide any sort of protection though, only tell you when you're (probably) infected... Right? :doubt:

    Re-examining the original article it looks like a combination of LUA, whitelisting, and several on-demand scanners might still work - just prevent anything whatsoever from executing unless you know it's trustworthy, thereby preventing the issues from cropping up in the first place. I'm not quite sure if I'm right about that though.

    (Also I'm not sure how e.g. SuRun works, and if it might be vulnerable in the same way.)
  2. m00nbl00d

    m00nbl00d Registered Member

    I did say...
    But, that's not the case. Matousec simply wrote the article explaining how to make use of such security flaws. Why? So Matousec can say: I saw it first.

    Anyway... one more among many other articles spread all over the Internet.
  3. bellgamin

    bellgamin Very Frequent Poster

    An FIC (File Integrity Checker) tells you if a key file or registry item has been changed. That may or may not indicate an infection. FIC is a thoughtful person's tool.

    FIC + DiskImaging (DI) software = great protection. To deal with an inexplicable change reported by your FIC, simply restore a clean image and POOF! you are good to go.

    FIC+DI is security of last resort. FIC+DI is the killing field for dealing with orcs & barbarians who have breached your castle's outer wall.
  4. Kees1958

    Kees1958 Registered Member

    :argh: :argh: :argh: :argh: :argh: :argh: :argh: :argh: :

    Matousec tests on XP 32 bit, let's shock the world and publish a scoop about a win95 flaw

    He works for microsoft now, mmhhh somebody said x64 kernel patch protection :thumb: :thumb: :thumb:
    Last edited: May 6, 2010
  5. dirsweld

    dirsweld Registered Member


    When I looked into FIC last night, it seemed way over my head, since it would require knowing what the processes meant. On the other hand, if there were an easy way to look up each one, it would be a way to learn more about how Windows works.

    Is there a more automated way to do the same thing? Does a program like Threatfire track the same kind of changes to the system that are suspicious?
    Last edited: May 6, 2010
  6. MrBrian

    MrBrian Registered Member

    Here are few responses from security product vendors.


  7. sunoracle

    sunoracle Registered Member

    The only way to guarantee that a backup cannot be infected is for it to be completely offline and static.
  8. bellgamin

    bellgamin Very Frequent Poster

    Not as far as I know.

    No. However, with TF you can make advanced rules to protect specified files & registry items. If you do, TF will notify you in real time of each change that is about to happen to a protected file or registry item. That approach works well but can be a PITA during software updates, Windows patches, new installs etc. A FIC is a lot easier to deal with IMO.

    In most cases it is fairly easy to use an FIC to spot EXPECTED changes such as those that ensue from software updates, Windows patches, new installs, etc. These expected changes are easily confirmed, & (unlike TF) do not interfere with your use of the computer during real-time.

    There will actually be only a relative few UNexpected changes that need you to undertake further research. One excellent source of advice/help is, of course, this forum. A goodly number of Wilders denizens are very well informed & helpful.

    However, you can find 95% of the answers you need, process by process, by doing a wee bit of online research. There are several sources of easy-to-understand info for doing such research. These include but are not limited to . . .
  9. Watasha

    Watasha Registered Member

    Have you guys not figured out that "revelations" like this happen every so often and are never as bad as they're made out to be? Everybody panics and the whole security world flies into a tiz....meanwhile the vendors have the devs fix the issue and we all move on to the next "crisis". Security evolves people, it's not the end of the world. o_O
  10. dirsweld

    dirsweld Registered Member

    You are a little late Watasha, check the last couple of pages.
    Last edited: May 7, 2010
  11. bellgamin

    bellgamin Very Frequent Poster

    Herewith the Matousec T-shirt . . .

    ScrHunt01 06-May-10.gif
  12. dirsweld

    dirsweld Registered Member

    Thanks for the links, Bellgamin, I bookmarked them, and just loaded Tiny Watcher. I'm using 7 x64, is it okay that Tiny Watcher is not 64bit?

    If Tiny Watcher gives me information I can decipher, this should be an education.

    If I get stuck, where would be a good place on Wilders to post a question about a process?
    Last edited: May 7, 2010
  13. bellgamin

    bellgamin Very Frequent Poster

    I do not know.

    I think Malware Problems & News would be the likely forum.
  14. Franklin

    Franklin Registered Member

    First pic - running in a default sandbox.

    Second pic - trying to run in a start/run restricted sandbox.


  15. doktornotor

    doktornotor Registered Member

    But.... but.... how come that no earthquake? o_O :'( :D
  16. doktornotor

    doktornotor Registered Member

    On a side note...

    Yeah... the idea is really simple. It's been described in detail in 1996. ;)

    Reference: Bishop, Dilger: Checking for Race Conditions in File Access (PDF).

    Finally, wrt the sky is falling and everything's affected ("the list would be endless" claims by Matousec), I suggest reading section 5 of the above PDF, which explains why such bombastic claims are plain wrong.
  17. Kees1958

    Kees1958 Registered Member

    Franklin thanks,

    So they tested DefenseWall while trusting their testing tool :argh: :argh: :argh: Matousec :argh: :argh: :argh:
  18. Franklin

    Franklin Registered Member

    Older version Gizmo's giveaway Defensewall running the Matousec tool as untrusted.

  19. NoIos

    NoIos Registered Member

    Password protected compressed images and also encrypted cannot be infected even if you hit them with all the malware of the world. Also consider that on a linux machine you must have write rights on the files to be able to change them or delete them. So I think you are wrong. Only theoretically this is possible, but in theory everything is possible about security issues.

    ps: in any case like I said in another post, I also do offline backups. And I hate to be off topic, so please let's leave the whole backup thing for another thread another time. There I could explain everything, because I have not explained the things in detail and normally many questions or doubts come in surface. Things sometimes are a bit more complicated.
    Last edited: May 7, 2010
  20. andyman35

    andyman35 Registered Member

    Images from the likes of Macrium Reflect are read-only so can't be infected after the event AFAIK.
  21. stackz

    stackz Registered Member

    Matousec's BSOD Hook is just a simple hook parameter fuzzer; basically it just tests whether the hook handler is validating parameters passed to it. It does not test for race condition pointer/handle tampering.
  22. noone_particular

    noone_particular Registered Member

    More sensational noise by Matousec. This "vulnerability" is based on the same assumption that his leaktests are, that the user and system configuration has allowed this test or malicious code that uses this method to run. Any security package that properly enforces a default-deny security makes this "vulnerability" worthless.
  23. falkor

    falkor Registered Member

    So . Pretty much everyone in this thread is paranoid and amazed at the article ? You guys are priceless . The paranoia in this forum is pretty sad . You actually thought that any HIPS or , for that matter , AV and firewall are bulletproof ? You think because you have been running a HIPS you were safe until reading this article ? Lol . You guys are as bad as the water bottles found in NYC today and everything shutdown in the area . Well , I suggest removing any HIPS you may be running just to feel on the safe side . This guy has everybody pissing and moaning about his tests so now he shows another way to gain some respect . I think that while you are at it , you should remove any and all security software from your system because they will all have some sort of vulnerability .:rolleyes: :cautious: Good luck from attacks guys and gals . Seems like most of you are under attack all the time . I am glad that paranoia stuff is not in the water I drink . Lol . I know this will anger many but , get over it . Because I am putting it bluntly , most take offense . Facts are facts . This article should be common knowledge , in theory , by ANYONE capable of using a computer . This thread was actually humorous to read . Ease back , remove your precious layered defenses and then these articles will not bother you . :argh: I really hate to see anyone new here to read this thread and think they can never go online because HIPS has a vulnerability . Oh . Be sure to switch to an AV that scores better than yours in the next AV-Comparatives test .
  24. Gen

    Gen Registered Member

    If i understand well how a FIC works, I can make the following comparison:

    1) a HIPS will detect a change taking place at the same time
    2) a FIC will detect the change after it took place

    Following this reasoning i can assume that if you have a HIPS, you dont need a FIC and if you are relying on LUA+SRP then a FIC will be a great addition.

    Do you agree or am I way off with the reasoning?
  25. Andy S

    Andy S Registered Member

    David Matousec - liar and thief

    I'm suggest to talk about more important subject. Why I thinking that David Matousec - liar and thief? And there is no place in scientific security community for people like him.

    I'm suggesting to redistribute this information as you can.

    David Matousec published a "new" advisory named it "KHOBE - 8.0 earthquake for Windows desktop security software". The reality is -- there is nothing new. Moreover, this researches were stolen.

    He were not lazy and created a new name for the thing that were know very long (veeeery long) before his article, wrote that he as k-rad security researcher and found a really new, critical problem. Found... Where? In the Google? Is he stupid or thinks that other people are really stupid? Heh, I saw before that all "his" tests seems like written by students, that are under his lead. Maybe some of that students found a "yearly essay" in the Internet and just crossed up his "scientific adviser"? To publish researches made by other guy as his, researches that were made from 7 years (actual proof for NT-based systems, see below) to 14 years (1996 year: theoretical, fundamental investigation -- PDF, 64kb), and did not afraid to publish this to seclist (but what do you say about this article, published on the same resource 7 years ago?), and did not forget to remind to all (including security vendors) that this "new" problem can be fixed, if they are will pay to him. Just pay to get access to the second and third part of the documentation... I'm advising to all vendors to get access for these parts absolutely for free. Just try to search in the Google the source name (not a "new" name from Matousec) of these type of attacks -- TOCTTOU (WiKi).

    TOCTTOU flaws (TOCTTOU = time-of-check-to-time-of-use).

    David Matousec stole his researches from this article / other link (published 30 Dec 2003, about 7 years ago).

    Name: TOCTOU with NT System Service Hooking
    Author: Andrey Kolishak <> (Russian security researcher)

    David Matousec did not published any sources or examples. Heh... They were published 7 years ago. By original researcher.
    Please see here: TOCTOU with NT System Service Hooking Bug Demo.

    Here is more scientific researches for *nix systems (2005 year): PDF (346 kb), with a pictures, schemes, calculations and so on.

    Do not allow COMMERCIAL deceivers and thiefs to be in scientific security research community!
    Last edited by a moderator: Dec 24, 2011
Thread Status:
Not open for further replies.