Matousec Discloses Critical Vulnerability in ALL HIPS

Those won't provide any sort of protection though, only tell you when you're (probably) infected... Right?

Re-examining the original article it looks like a combination of LUA, whitelisting, and several on-demand scanners might still work - just prevent anything whatsoever from executing unless you know it's trustworthy, thereby preventing the issues from cropping up in the first place. I'm not quite sure if I'm right about that though.

(Also I'm not sure how e.g. SuRun works, and if it might be vulnerable in the same way.)

 

I did say...

But, that's not the case. Matousec simply wrote the article explaining how to make use of such security flaws. Why? So Matousec can say: I saw it first.

Anyway... one more among many other articles spread all over the Internet.

 

An FIC (File Integrity Checker) tells you if a key file or registry item has been changed. That may or may not indicate an infection. FIC is a thoughtful person's tool.

FIC + DiskImaging (DI) software = great protection. To deal with an inexplicable change reported by your FIC, simply restore a clean image and POOF! you are good to go.

FIC+DI is security of last resort. FIC+DI is the killing field for dealing with orcs & barbarians who have breached your castle's outer wall.

 

:

Matousec tests on XP 32 bit, let's shock the world and publish a scoop about a win95 flaw

He works for microsoft now, mmhhh somebody said x64 kernel patch protection

 

Bellgamin-

When I looked into FIC last night, it seemed way over my head, since it would require knowing what the processes meant. On the other hand, if there were an easy way to look up each one, it would be a way to learn more about how Windows works.

Is there a more automated way to do the same thing? Does a program like Threatfire track the same kind of changes to the system that are suspicious?

 

Here are few responses from security product vendors.

DefenseWall:

Link: http://gladiator-antivirus.com/forum/index.php?showtopic=104354

Sandboxie:

Link: http://www.sandboxie.com/phpbb/view...start=15&sid=85ee1be08a0b7a820f7407c54d9b850f

 

The only way to guarantee that a backup cannot be infected is for it to be completely offline and static.

 

Not as far as I know.

No. However, with TF you can make advanced rules to protect specified files & registry items. If you do, TF will notify you in real time of each change that is about to happen to a protected file or registry item. That approach works well but can be a PITA during software updates, Windows patches, new installs etc. A FIC is a lot easier to deal with IMO.

In most cases it is fairly easy to use an FIC to spot EXPECTED changes such as those that ensue from software updates, Windows patches, new installs, etc. These expected changes are easily confirmed, & (unlike TF) do not interfere with your use of the computer during real-time.

There will actually be only a relative few UNexpected changes that need you to undertake further research. One excellent source of advice/help is, of course, this forum. A goodly number of Wilders denizens are very well informed & helpful.

However, you can find 95% of the answers you need, process by process, by doing a wee bit of online research. There are several sources of easy-to-understand info for doing such research. These include but are not limited to . . .
http://www.processlibrary.com/
http://www.whatsrunning.net/whatsrunning/ProcessInfoCentral.aspx
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm
http://www.greatis.com/appdata/

 

Have you guys not figured out that "revelations" like this happen every so often and are never as bad as they're made out to be? Everybody panics and the whole security world flies into a tiz....meanwhile the vendors have the devs fix the issue and we all move on to the next "crisis". Security evolves people, it's not the end of the world.

 

You are a little late Watasha, check the last couple of pages.

 

Herewith the Matousec T-shirt . . .

 

Thanks for the links, Bellgamin, I bookmarked them, and just loaded Tiny Watcher. I'm using 7 x64, is it okay that Tiny Watcher is not 64bit?

If Tiny Watcher gives me information I can decipher, this should be an education.

If I get stuck, where would be a good place on Wilders to post a question about a process?

 

I do not know.

I think Malware Problems & News would be the likely forum.

 

First pic - running in a default sandbox.

Second pic - trying to run in a start/run restricted sandbox.

 

But.... but.... how come that no earthquake?

 

On a side note...

Yeah... the idea is really simple. It's been described in detail in 1996.

Reference: Bishop, Dilger: Checking for Race Conditions in File Access (PDF).

Finally, wrt the sky is falling and everything's affected ("the list would be endless" claims by Matousec), I suggest reading section 5 of the above PDF, which explains why such bombastic claims are plain wrong.

 

Franklin thanks,

So they tested DefenseWall while trusting their testing tool Matousec

 

Older version Gizmo's giveaway Defensewall running the Matousec tool as untrusted.

 

Password protected compressed images and also encrypted cannot be infected even if you hit them with all the malware of the world. Also consider that on a linux machine you must have write rights on the files to be able to change them or delete them. So I think you are wrong. Only theoretically this is possible, but in theory everything is possible about security issues.

ps: in any case like I said in another post, I also do offline backups. And I hate to be off topic, so please let's leave the whole backup thing for another thread another time. There I could explain everything, because I have not explained the things in detail and normally many questions or doubts come in surface. Things sometimes are a bit more complicated.

 

Images from the likes of Macrium Reflect are read-only so can't be infected after the event AFAIK.

 

Matousec's BSOD Hook is just a simple hook parameter fuzzer; basically it just tests whether the hook handler is validating parameters passed to it. It does not test for race condition pointer/handle tampering.

 

More sensational noise by Matousec. This "vulnerability" is based on the same assumption that his leaktests are, that the user and system configuration has allowed this test or malicious code that uses this method to run. Any security package that properly enforces a default-deny security makes this "vulnerability" worthless.

 

So . Pretty much everyone in this thread is paranoid and amazed at the article ? You guys are priceless . The paranoia in this forum is pretty sad . You actually thought that any HIPS or , for that matter , AV and firewall are bulletproof ? You think because you have been running a HIPS you were safe until reading this article ? Lol . You guys are as bad as the water bottles found in NYC today and everything shutdown in the area . Well , I suggest removing any HIPS you may be running just to feel on the safe side . This guy has everybody pissing and moaning about his tests so now he shows another way to gain some respect . I think that while you are at it , you should remove any and all security software from your system because they will all have some sort of vulnerability . Good luck from attacks guys and gals . Seems like most of you are under attack all the time . I am glad that paranoia stuff is not in the water I drink . Lol . I know this will anger many but , get over it . Because I am putting it bluntly , most take offense . Facts are facts . This article should be common knowledge , in theory , by ANYONE capable of using a computer . This thread was actually humorous to read . Ease back , remove your precious layered defenses and then these articles will not bother you . I really hate to see anyone new here to read this thread and think they can never go online because HIPS has a vulnerability . Oh . Be sure to switch to an AV that scores better than yours in the next AV-Comparatives test .

 

If i understand well how a FIC works, I can make the following comparison:

1) a HIPS will detect a change taking place at the same time
2) a FIC will detect the change after it took place

Following this reasoning i can assume that if you have a HIPS, you dont need a FIC and if you are relying on LUA+SRP then a FIC will be a great addition.

Do you agree or am I way off with the reasoning?

 

David Matousec - liar and thief

I'm suggest to talk about more important subject. Why I thinking that David Matousec - liar and thief? And there is no place in scientific security community for people like him.

I'm suggesting to redistribute this information as you can.

David Matousec published a "new" advisory named it "KHOBE - 8.0 earthquake for Windows desktop security software". The reality is -- there is nothing new. Moreover, this researches were stolen.

He were not lazy and created a new name for the thing that were know very long (veeeery long) before his article, wrote that he as k-rad security researcher and found a really new, critical problem. Found... Where? In the Google? Is he stupid or thinks that other people are really stupid? Heh, I saw before that all "his" tests seems like written by students, that are under his lead. Maybe some of that students found a "yearly essay" in the Internet and just crossed up his "scientific adviser"? To publish researches made by other guy as his, researches that were made from 7 years (actual proof for NT-based systems, see below) to 14 years (1996 year: theoretical, fundamental investigation -- PDF, 64kb), and did not afraid to publish this to seclist (but what do you say about this article, published on the same resource 7 years ago?), and did not forget to remind to all (including security vendors) that this "new" problem can be fixed, if they are will pay to him. Just pay to get access to the second and third part of the documentation... I'm advising to all vendors to get access for these parts absolutely for free. Just try to search in the Google the source name (not a "new" name from Matousec) of these type of attacks -- TOCTTOU (WiKi).

TOCTTOU flaws (TOCTTOU = time-of-check-to-time-of-use).

David Matousec stole his researches from this article / other link (published 30 Dec 2003, about 7 years ago).

Name: TOCTOU with NT System Service Hooking
Author: Andrey Kolishak <andr@sandy.ru> (Russian security researcher)

David Matousec did not published any sources or examples. Heh... They were published 7 years ago. By original researcher.
Please see here: TOCTOU with NT System Service Hooking Bug Demo.

Here is more scientific researches for *nix systems (2005 year): PDF (346 kb), with a pictures, schemes, calculations and so on.

Do not allow COMMERCIAL deceivers and thiefs to be in scientific security research community!