PrevX Vulnerability Test Released

http://www.ghostsecurity.com/index.php?page=prevx

I have released a small test program which will show a vulnerability in PrevX (Home and Pro). The test is a simple EXE which you can run if PrevX is installed.

I have been in contact with the developers for a few days now, however they don't seem to be interested in my findings. After receiving an automated support email 2 days later I finally got in contact with someone there. They did thank me for my feedback (basically ending the discussion) even before I had divulged the details of it. Hopefully once PrevX end-users begin to understand that there is issues with the software, the developers will be more willing to fix the issues at hand.

I have no problem with the developers of PrevX and I admire the software from a technological standpoint. Hopefully this will be a benefit to the PrevX users somewhere down the line.

 

doesn't matter, it seems now that prevx is vulnerable for this kind of "exploit" ...

 

I know the developers sometimes respond to genuine problems by just fixing the issue, and there's an early beta coming up very soon, so hopefully that's the only reason for their lack of response. Thanks, Jason!

 

Let's hope this is the case here.

 

Hi guys

I wanted to explain this situation from the perspective of Prevx Technical Support. It is not my intention to be confrontational as this kind of feedback you are giving is invaluable to us.

Jason sent in 3 one liner emails to us, the first one mentioning a 'problem'. One of my support engineers replied with a detailed standard email asking for more information. The reply from Jason came back saying he thought our driver was 'poorly coded'. At this point it was escalated to me and I replied asking why he thought it was poorly coded and what the issue was and to see if I could help. The reply came back that Jason had found 'vulnerabilities'.

It seemed to me at that point that the information wasn't going to be provided to me in a straightforward manner, so I replied simply and politely thanking Jason for his feedback, hoping he would either reply to me directly with his findings or post a thread here or on his own site. I was aware all the time of Jason's involvement with Diamond CS and Ghost Security, and of his high standing in this community. So here we are.

We at Prevx care a great deal about our users and our user feedback, as can be witnessed by multiple threads in forums throughout the security community (and my verbose reply here!) , and some of you in this thread will bear witness to that fact. As a sign of our commitment, we provide and always have provided live support for our freeware product, unlike most freeware providers. We encourage users to help us with beta programs and always take note of and input user feedback into our development efforts. I think we're all on the same side here.

I am very grateful to Jason for raising this valid vulnerability in our current driver. I am happy to tell you that our latest driver coming out of development already fixed this vulnerability. The message coming back from Jason's exe when run with Prevx running says 'If you can see this then the test has failed. Either you don't have Prevx or they have fixed the vulnerability.'

Notok mentions above our brand new product currently in development, and he is quite right about this, it's a massive development effort, but it isn't deflecting me from customer support and focus. The new product will be launched end March/early April. I will be inviting users to join our Beta Program for this substantial ground-breaking release in the next week or two, I would be honored if you guys would take part and help out. Keep an eye on our official Prevx forum for the Beta Program announcement.

Finally many thanks to Jason for making the effort and taking a forthright approach to this, it is very much appreciated by us here at Prevx.

Regards

Pete
Prevx Support Team

 

Hi Pete, yes I sent one line emails initially just because I am very busy and obviously what more do you need to know than "your driver has vulnerabilities in it" ? Usually when someone says "thanks for your feedback" that is the end of the conversation, and I understood that to be the case as obviously you did then? I guess this attitude was due to a new product being released soon and you can't really do anything about the existing version.

I'm glad your future product(s) fix the vulnerability, I'll give it a test once it is publically released.

 

Hi Jason, no I wasn't intending to end the conversation, just very busy myself and didn't want to keep bugging you asking the same question over and over.

Thanks for your support Jason.

Pete