Tavis Ormandy vs. Antivirus - Discussion

Discussion in 'other anti-virus software' started by WildByDesign, Apr 29, 2016.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,633
    Location:
    Toronto, Canada
    As many of us have seen in recent times, Tavis Ormandy (https://twitter.com/taviso) of Google's Project Zero team (http://googleprojectzero.blogspot.com) has been trying to hold antivirus software accountable for providing security while, at times, creating more attack surface for the bad guys. We've seen vulnerability reports for Comodo, Avast, Trend Micro, and more. For the most part, these vulnerabilities get fixed promptly and in the end makes for a more secure digital world for all of us. At least, that is the intention.

    I have been debating whether or not all of these different vulnerability reports were worthy of it's own thread here for discussion or whether to simply discuss each antivirus vulnerability in each vendors own thread here at Wilders. I figured that since his reports have always been quite consistent and that since a lot of good has come from this, it would be worth discussing on it's own rather than muddying the waters in each vendor's thread here. Mods, as always, please report whether this should remain for discussion here or be moved to any other thread(s).
     
  2. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,633
    Location:
    Toronto, Canada
    Symantec Endpoint / Norton Consumer

    Source: https://twitter.com/taviso/status/725400730035589121

    Source: https://twitter.com/taviso/status/725460682158817281
    Image: https://pbs.twimg.com/media/ChFapVzUYAAz-Au.jpg

    Source: https://twitter.com/taviso/status/725816306209951744
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    It's a bit scary stuff, but the question is: are there any known attacks in the wild? I have been reading about serious AV holes for years, but I never heard of any attacks.
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,069
    I didn't her about them either. So even if there were any they probably weren't publicly disclosed.
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,069
    If I remember correctly there were some AV vulnerabilities disclosed when Hacking Team was hacked with status sold. So if it was sold, then we can assume it was used also. Though, probably for some targeted attack.
     
  6. Nevis

    Nevis Registered Member

    Joined:
    Aug 28, 2010
    Posts:
    786
    Location:
    255.255.255.255
    A lot of interesting post I found from that twitter handle. Thanks for sharing.
     
  7. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,071
    Location:
    Germany
    I think it would be hard to determine if a system was compromised by exploiting the AV, unless the attackers gloat about it afterwards. So who knows how often this is used as an entry point, though I am pretty sure home users are not affected.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Yes that's what I meant, how many home users are attacked using these kind of exploits. I don't think any of them have ever showed up in the popular exploit kits. Like Minimalist said, this stuff is probably only (or mostly) being used in targeted attacks. Same goes for Windows kernel exploits, although I do know of certain wide scale attacks where they were being used.
     
  9. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,633
    Location:
    Toronto, Canada
    More on Symantec Endpoint / Including Norton Consumer products


    Source: https://twitter.com/taviso/status/730249521247068162
    Source: https://twitter.com/taviso/status/730249922499371008
    Source: https://twitter.com/taviso/status/730250359474556928
    Source: https://twitter.com/taviso/status/730430843529760768
     
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,069
  11. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,633
    Location:
    Toronto, Canada
    Patches are imminent regarding critical Symantec/Norton products for the critical RCEs which affect most of their product line. Some products may need manual patching. Detailed bug report(s) and Google Project Zero blog links are contained within the linked tweets below:

    Source: https://twitter.com/taviso/status/747804671654264834
    Source: https://twitter.com/taviso/status/747853954940166144
    Source: https://twitter.com/taviso/status/747894763135787009
     
  12. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,951
    Location:
    USA
    Is Tavis releasing these vulnerabilities without giving the developers a chance to fix them first? He even links to some of the exploits. Does he give them any time at all to fix the vulnerabilities before releasing them? I know there are plenty of developers out there that will not fix vulnerabilities unless they are publicly disclosed, but shouldn't they be given a chance first? Most people get crucified for the doing the same thing on security forums.
     
  13. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Yes, they have time to patch.
     
  14. snippits

    snippits Registered Member

    Joined:
    Jun 19, 2011
    Posts:
    192
    From what I can gather from the previous posted links, these vulnerabilities were fixed with latest 22.7 version that is now live.
     
  15. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
    Lol..
     
  16. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    976
    Location:
    Paris
    Time given to patch before public disclosure varies, but T.O. uses a 90 day timeframe.
     
  17. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,187
    Location:
    in a remote land :)
    Anyway if a skillful cyber-criminal find a vulnerability in a famous security soft or whatever, he won't disclose it publicly but will make money with it first in the underground.
     
  18. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    976
    Location:
    Paris
    The real money in the software exploit field is made by the Bounty Hunters. US based companies Companies like Exodus and Endgame (startup capital provided by In-Q-Tel) and the French Vupen are dedicated to nothing else but this.

    Why would a Blackhat who discovered an exploit sell it for a pittance in the vagaries of the Darkweb when she could turn into a Greyhat and sell it to Zerodium for far, far more (and get offered job offer in the process)?
     
  19. Gein

    Gein Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    75
    I wonder which vendor he's going to do next. I've actually never had an av alert in the past seven or eight years that wasn't a false positive. It's sort of weird to think it might make me more vulnerable.
     
  20. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    Yes, that's my understanding too. I remember the screenshots of AV vulnerabilities on some kind of marketplace.
     
  21. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    I think it's pretty relevant to discuss the drawbacks of AV software, especially given how achievable it is to have a relatively secure system without all the overhead.

    Relying on an AV to catch malware is a roll of the dice that almost everyone I know fails sooner or later. Not just non-techie friends, but even IT folk who should know better.

    Once a machine is properly secured despite whatever the AV would do to a threat, then the question becomes: so why do I need you again?
     
  22. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,633
    Location:
    Toronto, Canada
    @RJK3 I like your mindset. 10+ years ago, AV was certainly considered a front line of defence in computer security. Now, I would consider AV more of like a forensics cleanup after the fact, should an infection make it's way through other lines of defence. I think that it is very important that more eyes are focused on looking for potential vulnerabilities within AV software particularly since they work at such a low level within the kernel and the added scrutiny will absolutely be beneficial to these AV companies and their users in the long run as holes are patched, sandboxing is added, etc.
     
  23. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,176
    I had Powerlics infect my work computer last year. nortons end point was on it. Norton would tell me I was infected and clean it but it always came back. @ that time the first thing I tried was Malwarebytes free and it could not find anything. If I remember right the tell tale was multiple dllhosts entries in task manager. I ended up download a tool from eset just made for powerlics and that fixed it.
     
  24. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    Using your arguments, people won't need anti-exploits because blackhat's turn into whitehat's and we all sing Do Re Me, Do Re Me Do Re Me Fa So La Ti and you have to change song titles in your tests and wear a more conservative outfit, ah well at least Paris is close to the Alps
     
  25. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,069
    Symantec Patches Products Against Exploitation via Malicious RAR Files
    http://news.softpedia.com/news/syma...oitation-via-malicious-rar-files-508493.shtml
     
Loading...