Matousec Discloses Critical Vulnerability in ALL HIPS

Discussion in 'other firewalls' started by ace55, May 5, 2010.

Thread Status:
Not open for further replies.
  1. ace55

    ace55 Registered Member

    Joined:
    Mar 29, 2010
    Posts:
    91
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Yeah it's not new, it's also one of the reasons I grew tired of 3rd party security software.
     
  3. Oh man... This is bad. Goodbye forever, Windows. It was fun while it lasted. :'(
     
  4. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    I think with Sandboxie or returnil, online armor, geswall or something similar, Google browser (with its own sandbox) and Defensewall, and maybe a good av, you're still pretty good to go.

    That computer between your ears is still the best protection, although I've picked up malware on otherwise safe sites.
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thank you ace55 for the post. :eek:

    This issue pertains to more than just HIPS or firewalls.

    Selected quotes from the paper:

     
    Last edited: May 6, 2010
  6. dirsweld

    dirsweld Registered Member

    Joined:
    Apr 11, 2010
    Posts:
    8
    Great, after weeks of reading here, and thinking I've figured out some decent security for Windows 7 x64 (OpenDNS, NAT router, Avast, Threatfire, Secunia, IE8 going only to green WOTs, UAC, on-demand MBAM and Hitman, Macrium), this article shows up.

    A few questions from someone new to Windows:

    1. Would products from Microsoft such as MSE and Windows 7 Firewall have these same vulnerable hooks?

    2. Would on-demand scanners such as Hitman and MBAM, just by being installed, have this problem? Or would they become an entry point when running?

    3. Would a program like Threatfire be part of this situation?

    4. Does this mean virtualization is now the best practice, along with an image? If so, could someone recommend a virtualization program that doesn't get in the way too much when doing pretty basic things like emails, a flight sim, and lots of reading on the internet?
     
    Last edited: May 6, 2010
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Hi dirsweld,

    Since you're using Windows x64, your operating system has Kernel Patch Protection (PatchGuard).

    From Microsoft PatchGuard: Locking down the kernel, or locking out security?:
    Wikipedia has an article about PatchGuard.
     
    Last edited: May 6, 2010
  8. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    A primary reason why several HIPS are agonizingly slow in attaining compatibility with 64-bit.
     
  9. Martijn2

    Martijn2 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    321
    Location:
    The Netherlands
    An limited account will prevent this attack I guess
     
  10. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    "The attack pattern described in this document does not, in general, use any feature present only on privileged user accounts. This means, that successful attack might come even from processes running under restricted user account."
     
  11. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, I beg your pardon, Mr. Matousec - but how on earth it this something new? What have you discovered exactly? Sensationalisms and a PR article at "best" of Matousec's tradition, everywhere starting from the "earthquake for Windows desktop security software" title, trough "without the pressure from the media, it seems that many vendors are (again) absolutely uninterested in security holes in their software." and ending with "today's most popular security solutions simply do not work".

    Greg Hoglund, Jamie Butler - Rootkits: Subverting the Windows Kernel (published Jul 22, 2005 by Addison-Wesley Professional) is something worth reading, not this Matousec *beeeep*
     
  12. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    "..
    This paper does not disclose our solutions of the problem.
    .."

    price on request?
     
  13. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Matousec solution: pop-up an "unhooking request has been detected! - Deny/Of course, deny!/Sure, deny!" dialog on every even completely benign operation. Then you will score 100% in their security challenge again. :D
     
  14. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Over past years there have been many security holes discovered. They have been patched. The *new holes* reported by Matousec will also be patched. And then yet other holes will be found in the near future. And then they, too, will be patched. Then other holes. Then other patches. And the beat goes on... and on... and on.

    It's a giant chess match between the good guys (security programmers) and the bad guys (hackers, script kiddies, et alia). Jolly good fun, or I wouldn't hang out here at Wilders as much as I do.

    Inasmuch as no single security program will be perfect, the best strategy was, is, & shall be -- layered security . . .

    Real-time: Just 2 apps & a router - -

    (1) Prevx-free with SafeOnline-nonfree

    (2) HIPS + FW, with a 1-click ability to put any application immediately into Least Privileged User Access (LUA) status.

    (3) NAT/SPI-capable router

    On-demand:

    (1) File integrity checker (FIC) - This is an *old school* security app that is very VERY powerful when used in conjunction with weekly imaging of one's system disk. My FIC covers a plethora of sensitive files & registry items. I run it deep every day at 1st start-up while I have breakfast. Over the years I have had a few zero-day nasties slip by my front-line security. AFAIK, my FIC has never missed a single one of them. IMO an FIC that uses an advanced algorithm for its hash simply CANNOT be fooled.

    (2) Disk Imager

    (3) Shadow Defender

    (4) On-demand download scanners: Avira, MBAM
     
  15. hundredpercents

    hundredpercents Registered Member

    Joined:
    May 6, 2010
    Posts:
    8
    Nothing new and not surprising. One important comment is this:

    Many here seem to run several programs, and therefore put themselves at increased risk? I have read people say that the less security you run, the more secure you are. Now I think I know what they meant?
     
  16. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    First off all I want to say that I agree with bellgamin. Then I have to say two more things.

    1. The best solution is the simplest.
    2. a)All these years I have monitored my use with software like manictime etc. I have discovered that computer idle times are really huge, specially on lans with computers that are used for specific tasks ( this is less obvious on desktops used for all tasks ).
    b)These days we have great imaging software that don't interfere with the user while doing their job.
    c)We have hdd with huge capacities.
    So:
    1. Buy a huge extra hdd or use a file/backup server.
    2. Understand that boot hdd should be used for OS and programs only.
    3. Take advantage of idle times ( if no idle is available it's not really a problem ) and schedule your imaging software to do its job really often. I will dare to say that it's possible to do it more than once every day.
    4. Use software that in real time synchronize important data directories on hdd on your lan/locally/usb hdd/server.

    Use layers of security software. Use them but don't become a slave of your software.

    Use your experience/knowledge and the above strategy and no malware or vulnerability will be able to hurt you.
     
    Last edited: May 6, 2010
  17. hundredpercents

    hundredpercents Registered Member

    Joined:
    May 6, 2010
    Posts:
    8
    Imaging is important, but maybe you can become a slave to imaging too. You really schedule your imaging software to perform back up more than once everyday?
     
  18. dirsweld

    dirsweld Registered Member

    Joined:
    Apr 11, 2010
    Posts:
    8
    Thank you for the links MrBrian. Reading those, along with the other posts here shows me why Matousec doesn't seem to have a great reputation on Wilders. Being new to Windows, it's hard to get my bearings sometimes, but I will keep plugging along, read what I can and ask a question or two.

    Your set-up is interesting, Bellgamin, I will study its elements to see if I can figure out why you've chosen them.
     
  19. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    I have a complicated backup strategy on my lan. It took me some days to organize everything but now I don't spend a minute. It works auto-magically. :D
    Yes, one specific pc creates an image of itself twice/day and sends these images on 2 different locations on my lan. Other PCs, do the same thing once a day and others once every 2 days.

    At the same time multiple directories from all the PCs mirror themselves on two different locations on the lan and some of them on online drives too.
     
  20. hundredpercents

    hundredpercents Registered Member

    Joined:
    May 6, 2010
    Posts:
    8
    That means you must be taking up a lot of system resources and also take up a lot of hard drive space. What happens when you download a 10gb file? How long does your back up take then? And how much resource is used?
     
  21. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    Although I think we're off topic, I'll try to reply. You must understand what I've said on my initial post. Your images don't include data like files downloaded from the web. You create images of your boot hdd and you make sure that these contain only the OS and the software that you use. This way you keep your images as small as possible.

    Backups don't take long time and don't use important resources, specially if you use the idle times. You should also note that a wise mix of integral and differential backups could save you a lot of hdd space.

    Data backup is another story ( like the example of the 10GB file you have mentioned ). I also backup data but this has nothing to do with images. Really important data get encrypted and syncronized on multiple locations on my lan and on various online drives ( like mozy ). Important data get synchronized online and on 2 different locations on my lan. Other data like movies, mp3s etc get a regular backup "treatment" not that often.

    Security wise only the boot hdd images are important. The rest it's just data keeping and safety of your data.
     
  22. hundredpercents

    hundredpercents Registered Member

    Joined:
    May 6, 2010
    Posts:
    8
    Understood, and I have a similar back up strategy, except I would only image when I make significant change to my system like installing a new application or doing major updates.

    Why would you need to create images of your boot hdd twice a day? Surely it won't change much. Maybe once a month would be enough. And this would save on a lot of system resources.
     
  23. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Like two users already have stated, that is why you must use a layered security, from anti-malware providing real-time protection or not (real-time protection if it makes you feel more secure) to backup systems.

    Aside this, I'm really quite fed up with all this sort of sensationalist articles. Not so long ago I read the first part of an article in PC World about some "expert" saying that people shouldn't be using anti-malware because this sort of applications have bugs. What's news? If you make a decision based on that, well my friends, simply don't use any O.Ss, as they all have bugs. Use nothing.

    The funny thing? That suppose "expert" seems to be working to a company that wants software development companies to pay them to check for bugs or something like that. I don't quite remember, and didn't bother to check out.

    Now, this is similar to Matousec saying that security software is full of breaches, etc; the end of the world.
    Then, my I humbly ask: Why have they always tested such security solutions and tell people which ones to use and buy? All money for them when visitors click the winners links? If the users put themselves at greater risk is of no importance?

    A stupid paragraph from the article, in my most honest opinion:

    Rather than contacting with the security vendors, they decide to explain on how to actually bypass the security software. Why not first contact with them, then give them time to fix those problems, and then report their finding? All about who's first showing what.

    Security holes will always exist. If you want to be 100% safe from the virtual world, simply don't go there.
     
  24. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    The frequency of backups for every pc is defined by the importance of that machine. Some machines are not just desktops, you need them running without interruption for work etc. So you cannot risk to lose your machine let's say for an entire day.

    Also, if you make backups only when you make changes, security wise these backups have little or no value. Because my strategy tries to protect me also from changes made by "others"...like malware. Often you understand changes made by malware when it's already too late. This strategy demands really often backups even if you personally don't make any changes. This is also why I balance and try to wisely use differential backups too.
     
  25. hundredpercents

    hundredpercents Registered Member

    Joined:
    May 6, 2010
    Posts:
    8
    That only applies to you I suppose. For most home users, this wouldn't apply. It sounds like you are running a company from home or something?

    Why would the backups have little or no value? When your system is infected, you would merely load up your last known good image. And yes, differential backups can be useful.

    Also, it sounds like your back up data is always connected to your currently running system. This means you are putting that back up data (images) at risk if you get infected on your currently running system. Right?

    I always image back up when I need to, then make sure the external drive is disconnected and therefore isolated from potential malware exposure.
     
Thread Status:
Not open for further replies.