Matousec Discloses Critical Vulnerability in ALL HIPS

Although yes I develope and design at home, this is not the reason that made me apply my backup strategy. The reason is that you cannot trust security software, even if layered, 100%. So if you want real security for data and machines, you cannot avoid often images and backups.

If the last known image is one month old then be sure that you'll lose things. If you have the time to reconfigure things and figure out what you have lost, then that strategy could be ok too. I have not said that any other strategy is not good. I have only said that security wise if you want to be safe you must have really recent images and real time synchronization ( for some data versioning is also absolutely needed ). For sure everyone knows better his needs.

Images are saved on a linux machine too, that does only that job ( I mean backup of data and images ). Please tell me how this machine will ever get infected. That machine is 24/7 on and it's not the only place I store images.

 

It really depends what you do with your computer. It sounds like you need this type of back up strategy more than others. For me, the only data I would be fearful of losing are video and music files, and only because it can take a long time to acquire them!

As I said, there would only be a need to back up an image when you do major updates or install/uninstall software. For me and the majority of people, this would only occur maybe once a month or even less frequently.

And I disagree that doing image back ups twice a day is "for security wise". It's got nothing to do with actual security. It's more to do with "insurance". Restoring an image because of a malware infection simply means your "security" has let you down. Which by the way has yet to happen to me over the course of 20 years. And yet I still have "insurance" ready!

Who knows what can happen. I'll always keep my back up drive isolated from my currently running system by default. It's safer that way, period.

 

Just FYI, Microsoft products will tend to use Microsoft API before resorting to hooks, if ever.

 

I believe you say this because you understand as security only the use of security software. Restoring an image because of a malware happens only because part of my security system failed and fortunately not my whole security system. I consider imaging and backup strategies as security.
I have never had an infection the last 10 years but that have never made to stop deciding and applying better security strategies.

Nothing could happen. If you trust more a usb drive than all the things I have said then I guess I have nothing more to say.

I have managed using machines with low power consumption and by "recycling" hardware when possible, to have a back up strategy that I consider that fits my needs and my idea of real security. Taking also advantage of low cost services like mozy and cloud online storage,
using also strict policies about encryption, synchronization, versioning, backup, imaging, raid storage type and yes offline storage too ( never said I don't do that ) that work almost without any intervention by me, I have an almost a 100% secure setup. IF you add all the security software too, a possible disaster is almost impossible. And believe me a system like that does not cost a lot of money. Of course there are more professional ways to do this whole thing but I could not really afford any professional solution.

Who considers security only the software called "security software" has understood nothing. Period.

 

ALL VULNERABLE

 

Given your heated tone, I think I must have insulted you to some extent and I apologise for that. It was not intentional. It sounds like you have spent a long time setting up your back up strategy and it sounds very impressive indeed. I'm glad that it works well for you.

However, I always consider back-ups as "insurance", rather than "security". For example, I can "secure" my passport by putting it in a safe with lasers around it. I can "insure" my passport by making an identical copy of it and placing it in another house (which is why the offline/isolated hard drive is always safer - there's no way malware could jump across thin air and infect your drive).

If my safe is broken into and my passport stolen, my "security" has failed, and my identity potentially stolen. But because of my "insurance", I still have copy of my passport available.

I hope that's now clear. Indeed you can argue that backing up is party of a security strategy. I just like to think of it as more of an "insurance".

 

This to me is an example of what I refer to as Rutkowska Syndrome.
These type of catastrophic security breaches always appear highly impressive on paper,yet strangely they don't seem to take over the real World as threatened.

 

@hundredpercents : I apologize too if my tone seemed heated. Hope I have not insulted you. I absolutely understand what you are saying. Your opinion is absolutely respected by me although I disagree.

 

Not insulted here at all.

Perhaps the main reason why I like to differentiate security software and backing up is that backing up does absolutely nothing to stop identity theft. Also, backing up does not always prevent data loss. What happens when a killdisk malware hits your system and destroys your drive just before your next scheduled back up?

Sure, that would be unlucky, but you can see why backing up isn't really part of computer "security". "Preventing" malware from entering and/or attacking your system is true computer "security".

Anyway, we can agree to disagree.

 

Quote Matousec

As far as i know most security products do use these types of techniques.

EP_X0FF has said for a long time that using hooks is not good, and he should know

As usual though, before ANY nasty can do it's dirty work, it has to be allowed to run. So if you have your browser locked down as tightly as possible, and don't run unknown code, i expect you will be immune from such attacks

 

I guess he's telling nothing exactly new to them, anyway - you have a point there, things like OIS Responsible Disclosure guidelines (PDF) is something completely strange to this self-proclaimed security "guru".

 

no i guss its great he following open bsd theory make is public so more and more people come out with solution as well companies dont be lazy to patch it

as far bad guys concern if there is vulnerability they find it out so its nothing new that whats their JOB is

best security policy i follow golden rule of open bsd before i knew if that rule exits

which is as few software are there in your system make ............it .......... ........as more secure ?

1st opinion

why is that let say i have a bunch of software to add layers of my security one of them get vulnerable it jeopardize entire my security


decent security suite like KIS or NIS + one good encryption software that all

+ astaro security gateway as utm i think more than enough for home user

astaro it self blocked 90-95% threats at gateway level then he have to find my local system and break security suite then strong encryption at end

possibility of getting my suite is 100:1 because i got only one security program



2nd general opinion

if one software will comprise the other will take charge and stop if going further

but in second case you are having too many security software at your pc let say 10 now bad guy had chance to 100:10 any one get him ist breach



best regards mack

 

Welcome to Linux. Ubuntu, openSUSE, and Linux Mint are GREAT.

Thanks.

 

Or the good Guys so that they can patch it. Don't you think?

Thanks.

 

And, how exactly are they helping the good guys/girls? The good guys aren't the security companies's folks, rather the people who make use of such tools.

People like Matousec are not helping such users, rather helping the bad folks, by reporting the flaws and how to exploit them.

Someone has mentioned that, Matousec reporting such flaws and how to exploit them, is no big deal, because the bad folks would already know them. Well, this isn't exactly true.
While they (bad folks) do their own research, the fact is that, for a long time now, certain security "experts" saw a window opportunity for a new market - vulnerabilities research in software, including security software. So, why would a bad folk do that research, if others are doing it, and worse, revealing such flaws before being in contact with such software developers so they can fix such flaws.

People like Matousec hurt no one, but those who make use of such applications.

I'd perfectly understand if such article would be written after contacting with such security vendors and giving them time to solve the flaws in their products. If nothing would be done after a while, then yes, let people know.

For what I could read, Matousec hasn't done that. Unless I missed something.

 

I wonder how long it takes Matousec to come up with a nifty application which does not have the flaws mentioned. Of course not free, dollars have to be paid for that.

 

" As shown in the previous section, the idea of the argument-switch attack is quite simple. The attacker calls the system service with values of parameters that will certainly pass the checks made during the execution of services' hook handlers. When the faker thread gets its time slice, it tampers the contents of the parameters to values that would never pass the checks of the hook handler. If the tampering operation occurs after the security checks are done but before the original service, which does the main work, is called, the attack is successful. " ( from http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php ). I don't understand the process, I wonder:

- the " values of parameters that will certainly pass the checks made during the execution of services' hook handlers.." are so common and knew that an attacker already knows them ? Shouldn't they are different from security software to the others ?

- or, alternatively, the attacker's code can discover them alone to be detected and intercepted as malicious and not verified code/parameter ?

 

Has anyone tried on VISTA or Windows 7? I see that they only tested windows 2000 (?!) and XP.

 

Any non-patchguard (64bit windows) system I believe.

 

Hi all!

Then, is Patchguard the solution of the problem?

 

EP_X0FF

http://www.kernelmode.info/forum/viewtopic.php?f=15&t=153

 

By making the computer security world aware of it.

 

I do not think the following comments are OT because they deal with a vital type of program for sustaining effective security despite the vulnerability mentioned in *Matousec's Disclosure* -- the topic of this thread.
~~~~~~~~~~~~~~~~~~~~~~~~~~

In a prior post I emphasized the value of including a File Integrity Checker (FIC) in a layered security set-up. Commensurate with that comment, I would like to offer links to some good FICs . . .

Tiny Watcher. Free

Sentinel. Free

AdInf. This FIC is super strong, & is designed specifically to work with Dr Web antivirus. However, AdInf will work alone or with other AVs besides Dr Web. FanJ gives a lot of information about AdInf at :HERE, and HERE, and also HERE. $9.95 one-off license fee. Has a 90-day free trial period.

Fingerprint -- scroll down to the bottom of the page. It is no longer in development but that is of lesser significance for a FIC. Fingerprint is very configurable BUT (because of its configurability) it is a wee bit convoluted to set-up. Free