Vulnerabilities in Online Armor?

In the newsgroup comp.security.firewalls is a lengthy thread about Online Armor. Some guys participating in this thread claim serious vulnerabilities in OA:

These pretended vulnerabilities seem to be different from the user-mode hooks issue in older OA versions critisized by Matousec. I think all OA users (I'm using OA free myself) would be highly interested in reading a clarifying comment by Mike.

 

The interesting thing to note is that the person who made these allegations is insisting that the OP's machine is infected, with the sole reason behind his claim being the OP uses Outlook. I'd take this kooky nutcase with a grain of salt.

That being said, does anyone have OA and Winspector/Spy++ installed? He does claim that this vulnerability is trivial to discover.

 

More complex than that. I see three knowledgeable persons trying to convince alex s that serious design flaws in OA are a vulnerability, even if no exploit is known.

 

It's just the hidden windows that can be discovered by Spy++. There is not any vulnerability in case OA controls its message queue. I guess this is somebody who read something somewhere, but does not understand the nature of this "vulnerability". As far as I see OA doesn't accept anauthorized messages from the foreign applications, so it is not vulnerable by the fact it has the hidden windows. Another point "insufficient parameters validation" must be clarified.

 

There were hooks issues with OA even in kernel mode, because we didn't sufficiently validate for all cases. This is long ago fixed as Alex pointed out. In fact, I think pretty much anyone on our Beta team would have access to the info because there are folks on there that like to run all sorts of tests on OA.

As far as other issues are concerned: OA Validates data going to its process and tightly controls it, including messages. OA does not even accept messages from other processes so IMHO it's a theoretical issue at best that I'm confident we handle.

I certainly have not refused to "fix" this. I got an email from the guy, we checked it out and found it incorrect. Nothing to fix.

If I get any info that there's any sort of legitimate vulnerability I look into it immediately.

 

Just as a followup: We've assumed now for two years - Malware will try to target OA; it's why we invest so much effort in tamper protection, to stop other processes messing with us.

 

Just as a side note to all this, there were, and it looks like there still are a few guys in that newsgroup who just live to bash any and all software firewalls. If you hang out there for a while and watch the "discussions", you will quickly see which ones they are, and learn to more or less overlook their presence. They seem somewhat intelligent on the surface, and perhaps they are, but you will never convince any of them that a software firewall is a good thing.. So I'd take what they say pretty lightly.... just my 2 cents..

 

Have you been participating at that newsgroup for any length of time?

If not, allow me to point out that bullshitting idiots often sound exactly the same as knowledgeable persons. And I can tell you at least one of them is the former.

 

Take it all with a grain of Salt.

And their disappointments are not just limited to firewalls you know.

Every single time an especially exceptional security program surfaces, and knowledgable users pick up on it then share their joy and satisfaction, the critics then come running to the aid of their malware making brothers, or if nothing else try every conceivable measure to point to the tiniest vulnerability as some earth-shattering defeat that will never be overcome.

Bahhh!! I say. You guys know it all too well, those of you who been around quite awhile, it's the classic jealousy complex. Hey, but on the other hand genuine scrutiny is GOOD, and professionally minded developers love it because they as well as their customers benefit from their craft being hammered on with everything including the kitchen sink.

And is why Window users today enjoy such a greater measure of security never before realized.

 

Those folks do seem knowledgeable at that newsgroup however they seem to have an almost arrogant attitude to those less knowledgeable, and with a different view to themselves ,rather like how the Jesuits behaved in the middle ages .They also strike me as the sort to cut off the arm if the finger has a splinter.I see this in anti virus newsgroups too,where only formatting is their prescribed method if you've been infected with a virus.They don't believe in levels of infection or containment or limited damage.
ellison

 

Anything concerning possible vulnerability againt any security software is of interest to me (certainly more on the side of a firewall).

I have in the past attacked OA (from the point of attacking as malware against OA), but did not see this (and yes, I looked at this reported attack possibility~ before that post was made).

I dont at this time, feel a personal need to look further into this than I already have, but, if anyone as POC on this please advise, I will certainly take time to re-check.

 

Me too.

You don't consider MS guidelines relevant here?

I would assume that anyone with a POC of a vulnerability in a security product would report this to Secunia.

 

MS guideline is completely irrelevant here, because this only relevant to the regular win32 services without HIPS functionality.

MS guidelines developers not to rely on windows security here, because by sending some messages to services (wm_timer, wm_settext etc) it is possible to execute a piece of code with elevated rights. But HIPS is a system that exists to close the holes in windows security, it doesn't rely on windows security, and this is why MS guideline is irrelevant in such a case.

 

To add to alex_s, I take little notice of what MS states, they change stance too many times for my liking.

Assumtion is (unfortunatly) incorrect.

 

Mike, first of all: Thanks a lot for your response!

I see, and I have no reason to question your statement. Nevertheless, although I, too, regard these guys in the quoted thread as rude and narrow-minded, don't they have a point when they say: It's better to avoid possible problems from the outset by running a non-interactive privileged service and a GUI with user privileges? Wouldn't it make sense to minimize the attack surface a priori instead of relying on measures that prevent possible attacks that wouldn't exist otherwise? (BTW: This philosophy is also the main reason why I'm one of the few proponents of a limited user account.) There are firewalls/HIPs that work this way, like CPF or SSM. Is there a special reason why you did it different?

 

In some special cases, we want to display a popup when the GUI is not running. It's something we discuss from time to time whether or not we still require it, or should replace with a default allow/default deny method of operation.

So far, we've always decided to leave it in.