Vulnerabilities in Online Armor?

Discussion in 'other firewalls' started by tlu, Jan 17, 2008.

Thread Status:
Not open for further replies.
  1. tlu

    tlu Guest

    In the newsgroup comp.security.firewalls is a lengthy thread about Online Armor. Some guys participating in this thread claim serious vulnerabilities in OA:

    These pretended vulnerabilities seem to be different from the user-mode hooks issue in older OA versions critisized by Matousec. I think all OA users (I'm using OA free myself) would be highly interested in reading a clarifying comment by Mike.
     
  2. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    The interesting thing to note is that the person who made these allegations is insisting that the OP's machine is infected, with the sole reason behind his claim being the OP uses Outlook. I'd take this kooky nutcase with a grain of salt.

    That being said, does anyone have OA and Winspector/Spy++ installed? He does claim that this vulnerability is trivial to discover.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    The really questionable part is the "Vendor refuses to fix". I simply don't believe that at all.
     
  4. TheSpirit

    TheSpirit Registered Member

    Joined:
    Sep 18, 2007
    Posts:
    7
    More complex than that. I see three knowledgeable persons trying to convince alex s that serious design flaws in OA are a vulnerability, even if no exploit is known.
     
  5. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    It's just the hidden windows that can be discovered by Spy++. There is not any vulnerability in case OA controls its message queue. I guess this is somebody who read something somewhere, but does not understand the nature of this "vulnerability". As far as I see OA doesn't accept anauthorized messages from the foreign applications, so it is not vulnerable by the fact it has the hidden windows. Another point "insufficient parameters validation" must be clarified.
     
  6. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    There were hooks issues with OA even in kernel mode, because we didn't sufficiently validate for all cases. This is long ago fixed as Alex pointed out. In fact, I think pretty much anyone on our Beta team would have access to the info because there are folks on there that like to run all sorts of tests on OA.

    As far as other issues are concerned: OA Validates data going to its process and tightly controls it, including messages. OA does not even accept messages from other processes so IMHO it's a theoretical issue at best that I'm confident we handle.

    I certainly have not refused to "fix" this. I got an email from the guy, we checked it out and found it incorrect. Nothing to fix.

    If I get any info that there's any sort of legitimate vulnerability I look into it immediately.
     
  7. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    Just as a followup: We've assumed now for two years - Malware will try to target OA; it's why we invest so much effort in tamper protection, to stop other processes messing with us.
     
  8. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Just as a side note to all this, there were, and it looks like there still are a few guys in that newsgroup who just live to bash any and all software firewalls. If you hang out there for a while and watch the "discussions", you will quickly see which ones they are, and learn to more or less overlook their presence. They seem somewhat intelligent on the surface, and perhaps they are, but you will never convince any of them that a software firewall is a good thing.. So I'd take what they say pretty lightly.... just my 2 cents.. ;)
     
  9. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Have you been participating at that newsgroup for any length of time?

    If not, allow me to point out that bullshitting idiots often sound exactly the same as knowledgeable persons. And I can tell you at least one of them is the former.
     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Take it all with a grain of Salt.

    And their disappointments are not just limited to firewalls you know.

    Every single time an especially exceptional security program surfaces, and knowledgable users pick up on it then share their joy and satisfaction, the critics then come running to the aid of their malware making brothers, or if nothing else try every conceivable measure to point to the tiniest vulnerability as some earth-shattering defeat that will never be overcome.

    Bahhh!! I say. You guys know it all too well, those of you who been around quite awhile, it's the classic jealousy complex. Hey, but on the other hand genuine scrutiny is GOOD, and professionally minded developers love it because they as well as their customers benefit from their craft being hammered on with everything including the kitchen sink.

    And is why Window users today enjoy such a greater measure of security never before realized.
     
  11. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    Those folks do seem knowledgeable at that newsgroup however they seem to have an almost arrogant attitude to those less knowledgeable, and with a different view to themselves ,rather like how the Jesuits behaved in the middle ages .They also strike me as the sort to cut off the arm if the finger has a splinter.I see this in anti virus newsgroups too,where only formatting is their prescribed method if you've been infected with a virus.They don't believe in levels of infection or containment or limited damage.
    ellison
     
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Anything concerning possible vulnerability againt any security software is of interest to me (certainly more on the side of a firewall).

    I have in the past attacked OA (from the point of attacking as malware against OA), but did not see this (and yes, I looked at this reported attack possibility~ before that post was made).

    I dont at this time, feel a personal need to look further into this than I already have, but, if anyone as POC on this please advise, I will certainly take time to re-check.
     
  13. TheSpirit

    TheSpirit Registered Member

    Joined:
    Sep 18, 2007
    Posts:
    7
    Me too.
    You don't consider MS guidelines relevant here?
    I would assume that anyone with a POC of a vulnerability in a security product would report this to Secunia.
     
  14. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    MS guideline is completely irrelevant here, because this only relevant to the regular win32 services without HIPS functionality.

    MS guidelines developers not to rely on windows security here, because by sending some messages to services (wm_timer, wm_settext etc) it is possible to execute a piece of code with elevated rights. But HIPS is a system that exists to close the holes in windows security, it doesn't rely on windows security, and this is why MS guideline is irrelevant in such a case.
     
    Last edited: Jan 21, 2008
  15. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    To add to alex_s, I take little notice of what MS states, they change stance too many times for my liking.

    Assumtion is (unfortunatly) incorrect.
     
  16. tlu

    tlu Guest

    Mike, first of all: Thanks a lot for your response!

    I see, and I have no reason to question your statement. Nevertheless, although I, too, regard these guys in the quoted thread as rude and narrow-minded, don't they have a point when they say: It's better to avoid possible problems from the outset by running a non-interactive privileged service and a GUI with user privileges? Wouldn't it make sense to minimize the attack surface a priori instead of relying on measures that prevent possible attacks that wouldn't exist otherwise? (BTW: This philosophy is also the main reason why I'm one of the few proponents of a limited user account.) There are firewalls/HIPs that work this way, like CPF or SSM. Is there a special reason why you did it different?
     
  17. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    In some special cases, we want to display a popup when the GUI is not running. It's something we discuss from time to time whether or not we still require it, or should replace with a default allow/default deny method of operation.

    So far, we've always decided to leave it in.
     
Thread Status:
Not open for further replies.