Tavis Ormandy vs. Antivirus - Discussion

Discussion in 'other anti-virus software' started by WildByDesign, Apr 29, 2016.

  1. Gein

    Gein Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    219
    Was reading about the blog Tavis found in malwarebytes and mbae updating over http, and the possibility of hijacking that update mechanism. The blog post I read was from 2016, but I remembered reading something earlier form another security researcher saying something similar but two years earlier.

    this is the malwarebytes blog post: https://blog.malwarebytes.com/malwa...ebytes-anti-malware-vulnerability-disclosure/
    this is the link indicating a similar bug two years earlier: http://blog.0x3a.com/post/104954032239/cve-2014-4936-malwarebytes-anti-malware-and

    I'm not sure if they are strictly the same bug, but it'd be a little scary if they let a bug like that go for two years without patching it until google called them out.
     
  2. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    That was for the free version yes but not the paid version, where you can enable self protection.
     
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
  4. 142395

    142395 Guest

  5. truoc

    truoc Registered Member

    Joined:
    Dec 31, 2012
    Posts:
    35
    Location:
    United States
    What other products are known to do this? Anyone know? Just curious.

    Does Webroot do this?
     
  6. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
  7. 142395

    142395 Guest

    All AVs which has an option for SSL scan, but the degree of terribleness differ.
    Avast is relatively better (still far from perfect tho), Bitdefender was bad (worse than Kaspersky in that time; I don't know current state), and Comodo's PrivDog was the worst. IDK about ESET but they have the option too. In all of those AVs except for Avast this feature is turened off by default.
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    It's turned on by default in Eset ver. 10.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I still don't know what Travis is referring to by "32 bit." Is it symmetric algorithm key length? That would be a fiasco if Kaspersky used that key length for their self-signed certs.
     
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Some Kaspersky filesystem ACL and also SSL bugs. Bug reports within the quoted tweets below.

    Source: https://twitter.com/taviso/status/816372419619266560

    Source: https://twitter.com/taviso/status/816373947109228546
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I think SSL filtering by AV's is a bad idea.
     
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    https://github.com/taviso/loadlibrary/blob/master/README.md

    Let it rip, Travis! Pretty much know how this one is going to end up.
     
    Last edited: May 23, 2017
  14. guest

    guest Guest

    So basically he ported MsMpEng to Linux to be able to fuzz it more easily, so he can test his PoC in a more efficient way.
     
  15. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Good for him, hopefully the end result is more fixes for millions of Windows users.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.