Security software can reduce effectiveness of DEP/ASLR

Discussion in 'other security issues & news' started by MrBrian, Sep 5, 2011.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From "Bypassing DEP/ASLR in browser exploits with McAfee and Symantec" (hxxp://www.scriptjunkie.us/2011/06/bypassing-dep-aslr-in-browser-exploits-with-mcafee-symantec/):
     
  2. wat0114

    wat0114 Guest

    Yet another reason to justify my contempt toward antivirus products and most 3rd party security products in general :ninja:
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Another solution is to use EMET on processes vulnerable to this issue.
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
  5. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Indeed, EMET will force it on any extra DLL's that security software is injecting. (Though this is also one of the reasons I prefer MSE)

    EMET :thumb:
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Who would expect "Security" software to fail them in so Many ways :eek:

    Now we know :thumb:
     
  7. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Agreed :thumb: :D
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    The irony is a security product becoming the attacking vector. o_O
     
  9. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    It's not that big of a surprise, actually. For one thing, security software has to dig its tentacles deeply into the OS. Any other software does that and we put it in the interrogation room. But we trust our security software to not harm us, and to make us safer (most of us do at least). For another, adding more programs of any kind risks adding vulnerabilities and buggy code, which could lessen safety and stability.

    When I first learned of EMET, I was advised to not use it on security software, as all sorts of conflicts and stability issues might arise. But, reading this, I'm not so sure.
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Those who told you that showed any evidence that it would, in fact, cause problems?

    Like you, I'm wondering if nefast effects would happen. Would the system collapse? :argh: :argh:
     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    This issue is actually about the bits that security (or other) software injects into other processes, such as web browsers.
     
  13. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    No, I wasn't shown anything to prove it. I'm not sure you even could, considering it would very likely differ from machine to machine and what you had on it. I did notice when I last used EMET, that I had some sluggishness issues and random crashes of programs. But, that's my own experience and it may not even be true anymore (I don't have EMET right now, and many programs have been changed on this system).
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Not really. As I've said, anything that executes code on your system is increasing your attack surface. That's why I advocate OS-based security - yes, you'll increase attack surface, but if you bury it into the kernel it's very very difficult to bypass.
     
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Not really what? It isn't ironic that a security application ends up being an attacking vector? Yes, it is. Surprising? No. Why not? Because it's code.

    Don't confuse irony with surprise. :-*
     
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Fair enough =p not sure how I managed to confuse the two...
     
  17. wat0114

    wat0114 Guest

    I've used MS' Attack Surface Analyzer before, but thought I'd have another go with it, this time generating a baseline of my setup, then generating a second report after adding Comodo IS, followed by a comparison report between the two. For anyone interested, the html report can be downloaded from the following link:

    -http://www.megaupload.com/?d=VROTMLRY

    Under the Security Issues tab is probably most interesting. I set up Comodo minus the "GeekBuddy" option, updated av definitions, applied AppLocker rules to the Comodo directory (all Publisher rules) and left D+ at Safe mode.
     
  18. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    I checked out the report. Wow the security issues are interesting.
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    So... anything can tamper COMODO settings via HKLM? Have you tried that? o_O

    COMODO also does not support ASLR according to the report.
     
  20. wat0114

    wat0114 Guest

    No I didn't try and not really interested either. I just wanted to see what the results were on a fairly popular product. I may try Symantec or McAfee one of these days.
     
  21. wat0114

    wat0114 Guest

    I was curious to see whether SuRun introduced any security issues, and happy to say none to speak of :)
     

    Attached Files:

  22. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I'd be interested to see more and more tests with that... specifically with Mamutu, Sandboxie, and CIS >_>
     
  23. wat0114

    wat0114 Guest

    Check post #17. CIS tested first. Currently checking Kaspersky Pure, free trial. Will look at Sandboxie tomorrow.
     
  24. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Thank you. I don't have a clean system to test on.

    I expect quite a few security issues for Mamutu, Sandboxie, and Comodo (just read the report) since they do quite a lot. This is why I dislike 3rd party security! =p
     
    Last edited: Sep 5, 2011
  25. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Then get rid of it lol :D
     
Loading...
Thread Status:
Not open for further replies.