Security software can reduce effectiveness of DEP/ASLR

From "Bypassing DEP/ASLR in browser exploits with McAfee and Symantec" (hxxp://www.scriptjunkie.us/2011/06/bypassing-dep-aslr-in-browser-exploits-with-mcafee-symantec/):

 

Yet another reason to justify my contempt toward antivirus products and most 3rd party security products in general

 

Another solution is to use EMET on processes vulnerable to this issue.

 

Just a reminder for anyone that may have BottomUpRand disabled in EMET, to enable it.

Read here: http://blog.didierstevens.com/2011/08/16/so-how-good-is-pseudo-aslr/

and here: http://blog.didierstevens.com/2011/09/01/bottom-up-randomization-saves-mandatory-aslr/

 

Indeed, EMET will force it on any extra DLL's that security software is injecting. (Though this is also one of the reasons I prefer MSE)

EMET

 

Who would expect "Security" software to fail them in so Many ways

Now we know

 

Agreed

 

The irony is a security product becoming the attacking vector.

 

It's not that big of a surprise, actually. For one thing, security software has to dig its tentacles deeply into the OS. Any other software does that and we put it in the interrogation room. But we trust our security software to not harm us, and to make us safer (most of us do at least). For another, adding more programs of any kind risks adding vulnerabilities and buggy code, which could lessen safety and stability.

When I first learned of EMET, I was advised to not use it on security software, as all sorts of conflicts and stability issues might arise. But, reading this, I'm not so sure.

 

Didier Stevens' blog has some related posts:
Quickpost: “It Does No Harm…” or Does It?
Force ASLR on Shell Extensions

 

Those who told you that showed any evidence that it would, in fact, cause problems?

Like you, I'm wondering if nefast effects would happen. Would the system collapse?

 

This issue is actually about the bits that security (or other) software injects into other processes, such as web browsers.

 

No, I wasn't shown anything to prove it. I'm not sure you even could, considering it would very likely differ from machine to machine and what you had on it. I did notice when I last used EMET, that I had some sluggishness issues and random crashes of programs. But, that's my own experience and it may not even be true anymore (I don't have EMET right now, and many programs have been changed on this system).

 

Not really. As I've said, anything that executes code on your system is increasing your attack surface. That's why I advocate OS-based security - yes, you'll increase attack surface, but if you bury it into the kernel it's very very difficult to bypass.

 

Not really what? It isn't ironic that a security application ends up being an attacking vector? Yes, it is. Surprising? No. Why not? Because it's code.

Don't confuse irony with surprise.

 

Fair enough =p not sure how I managed to confuse the two...

 

I've used MS' Attack Surface Analyzer before, but thought I'd have another go with it, this time generating a baseline of my setup, then generating a second report after adding Comodo IS, followed by a comparison report between the two. For anyone interested, the html report can be downloaded from the following link:

-http://www.megaupload.com/?d=VROTMLRY

Under the Security Issues tab is probably most interesting. I set up Comodo minus the "GeekBuddy" option, updated av definitions, applied AppLocker rules to the Comodo directory (all Publisher rules) and left D+ at Safe mode.

 

I checked out the report. Wow the security issues are interesting.

 

So... anything can tamper COMODO settings via HKLM? Have you tried that?

COMODO also does not support ASLR according to the report.

 

No I didn't try and not really interested either. I just wanted to see what the results were on a fairly popular product. I may try Symantec or McAfee one of these days.

 

I was curious to see whether SuRun introduced any security issues, and happy to say none to speak of

 

I'd be interested to see more and more tests with that... specifically with Mamutu, Sandboxie, and CIS >_>

 

Check post #17. CIS tested first. Currently checking Kaspersky Pure, free trial. Will look at Sandboxie tomorrow.

 

Thank you. I don't have a clean system to test on.

I expect quite a few security issues for Mamutu, Sandboxie, and Comodo (just read the report) since they do quite a lot. This is why I dislike 3rd party security! =p

 

Then get rid of it lol