When Security Solutions Are Vulnerable

[steven36]

Last year, antivirus provider Symantec was quoted in The Wall Street Journal stating that antivirus software was dead, prompting the security company to start developing solutions that worked differently and more effectively. Symantec’s senior vice president for information security estimated that antivirus software catches just 45 percent of online attacks today.

 

 

And now there’s reports of a known vulnerability emerging in many different antivirus solutions from different providers’ software. Dark Reading reported on a security flaw that allows malware to exploit vulnerable and out-of-date third-party Windows apps.

 

Vulnerable antivirus products allocate a memory page with read, write and execute permissions at a constant and predictable address, which could potentially lead to the compromise of the underlying Windows system, according to a blog by enSilo. A more technical overview can be found here.

 

Security company enSilo found the flaw in March 2015, as it affected AVG’s antivirus product, which was promptly patched by AVG. But after developing a tool to test other antivirus products, the company found that McAfee Virus Scan, Kaspersky Total Security, and AVG Internet Security solutions were vulnerable. They have all recently patched for the vulnerability.

Incentives for Broken Security Solutions

Last year, we hosted a Duo Tech Talk featuring Peiter Zatko, better known as Mudge, member of the hacker collective, L0pht. In 1998, he testified in front of Congress with other rest of L0pht, stating that they could shut down the entire Internet in 30 minutes.

 

Mudge continued on to work with DARPA, the Defense Advanced Research Projects Agency, where he conducted research on how additional security layers often contain and create vulnerabilities. They found that 28.8 percent of all vulnerabilities tracked across 100k networks were found within the security software themselves.

 

He stated that the way antivirus vendors released fixes is more favorable to supporting their own subscription-based models that ultimately made money off of renewals - instead of fixing the root cause, which would benefit consumers the most, vendors were more incentivized to release a patch to fix just a branch or variant of a botnet that would, ultimately, quickly pop up again.

 

That means consumers - and large companies - aren’t protected if they rely on outdated security solutions that can’t even detect or defend against new threats. Back in 2013, the NYTimes.com reported on the barrage of online attacks they experienced over 4 months, stating that their antivirus solution only detected 1 instance of malware, while 45 were found in total.

Security Basics + Endpoint Insights

Switching over to a solution like two-factor authentication can result in simple prevention, but using the solution in conjunction with advanced endpoint capabilities can prove even more effective and sustainable as combating threats requires a different, more targeted approach.

 

Endpoint security solutions give you greater insight into increasingly complicated IT environments that now include cloud apps and countless personal, unmanaged devices used to connect to company data. They can help organizations:

• View where their users are authenticating from - whether it’s an anonymous network or a country you don’t typically do business in, you can get actionable data to detect any anomalies
• Set custom policies and controls to block users based on location, network or authentication parameters
• Flag any devices running out-of-date software (like browsers or Flash and Java plugins) that may present a risk if connected to your company network
• Notify users that their personal devices they use for work are outdated, providing a link so they can easily update on their own

 

Updating your company’s security solution is essential to avoiding known vulnerabilities, and protecting against new threats that can no longer be detected by old security solutions.

 

Source

[steven36]

Vulnerability found in McAfee, Kaspersky and AVG anti-virus softwares

Three major anti-virus softwares have been shown to be vulnerable to a large coding vulnerability.

 

A vulnerability has been revealed in several major anti-virus products. The Israel-based cyber-security startup enSilo recently showed how AVG Internet Security 2015, McAfee VirusScan Enterprise version 8.8 and Kaspersky Total Security 2015 were all vulnerable to the same flaw.

 

These giants of the enterprise antivirus software game were all subject to the same coding issue. The softwares would allocate memory for read and write, as well as execute permissions with an address that an attacker could easily predict and then proceed to inject code into the target system.

 

enSilo originally found the vulnerability in AVG in March 2015, while at the website of a customer. Tomer Bitton, vice president of research at enSilo, wrote in a recent blog post, “The enSilo product alerted on a product collision with AVG, also installed in the customer's environment. A follow-up investigation conducted by our researchers revealed a flaw in AVG.” 

 

The flaw would allow an attacker to exploit old vulnerabilities in a third-party application “in order to compromise the underlying Windows system”.

 

When Bitton spoke to SCMagazineUK.com, he described what he saw as the essential problem: “The anti-virus companies adopted a coding malpractice which essentially defeats Windows' mitigations against application exploitation.” This meant that the anti-virus products could conceivably become an “attacker's vehicle into taking complete control of the underlying Windows system”.

 

Bitton said that Microsoft is aware that applications often have vulnerabilities which can be used as gateways to attack the underlying Windows system. So, Microsoft puts in mitigation measures like Data Execution Prevention which stops attackers executing data as if it were code, or Address Space Layout Randomization (ASLR) which mixes up the the address space layout to prevent attackers from guessing too accurately where they could exploit a vulnerability.

 

But the anti-virus companies “located memory regions in predictable addresses – and gave them read, write and execute (RWX) permissions. By allocating memory in such a way, they rendered Microsoft's mitigations useless.”

 

enSilo has released a tool for the worried consumer, found here, to see if the vulnerability is there. Bitton told SC that the problem probably is not isolated to anti-virus software: “Due to the prevalence of this issue in anti-virus products, we can assume that this issue is replicated across other intrusive applications.”

 

There have been no recorded instances of this vulnerability in the wild but that doesn't mean it's just theoretical. Tavis Ormandy, also known as ‘the notorious Tavis Ormandy', a researcher at Google's Project Zero, found a very similar vulnerability earlier this year wherein an attacker could gain access to the computer's underlying system via the mere functioning of the antivirus software.

 

While AVG did not respond for comment, Kaspersky released a statement to SC saying that the vulnerability disclosed by enSilo had been fixed in the September auto-updated patch. “The vulnerability couldn't be exploited by itself with code execution and privilege escalation, but could have simplified the exploitation of 3rd party application vulnerabilities, such as stack based buffer-overflow,” it said. 

The company added, “Kaspersky Lab takes all necessary measures to provide our users with reliable, high-quality, real-time protection from cyber-threats. Moreover, we have always valued the efforts of independent researchers that allow us to make our products better and offer better protection for our customers."

 

McAfee also commented that, "Intel Security takes the integrity of our products very seriously. Upon learning of this particular issue, we quickly evaluated the researchers' claims and took action to develop and distribute a solution addressing it. This solution was distributed to customers  in a patch on August 26, 2015. We are not aware of any customers targeted with an exploit of the issue in question."

Source

 

 

 

[straycat19]

This is old news and the software has been fixed.  Verified that by checking retail versions installed on my various test computer systems.

[steven36]

1 hour ago, straycat19 said:

This is old news and the software has been fixed.  Verified that by checking retail versions installed on my various test computer systems.

these post are from a few days ago  . Did you test old versions  of antivrius to see if its been fixed in those as well . Actuality software products have 3mths grace period to patch exploits  without reporting it to public . They never make the info available tell after its patched .

 

Dec 10, 2015 was just a few days ago

The point there making is this

Quote

He stated that the way antivirus vendors released fixes is more favorable to supporting their own subscription-based models that ultimately made money off of renewals - instead of fixing the root cause, which would benefit consumers the most, vendors were more incentivized to release a patch to fix just a branch or variant of a botnet that would, ultimately, quickly pop up again.

They don’t really fix the problem  they only patch the problem .If there not fixing the problem but only patching  the problem  the industry is just as guilty of spreading malware  as the hackers are . Everything on windows in years is just a series of patches  every since antiviral programs have almost wiped out real virus  . If they was to kill malware like they did virus  they would all be out of jobs right now .  They would be no reason to update them even.  That's why free antivirus  programs for years and years own the marketshare  and not paid ones  . More people install M$  and Avast free than anything else regardless of what those test say.

Quote

 

Mudge continued on to work with DARPA, the Defense Advanced Research Projects Agency, where he conducted research on how additional security layers often contain and create vulnerabilities. They found that 28.8 percent of all vulnerabilities tracked across 100k networks were found within the security software themselves.

 

Go to a Linux site  and start talking about installing a antivirus on  it they will tell you you’re more likely to get infected installing a  antivirus on it  than not using one at all . 28.8 percent is no small number  when it  comes to being infected . . antivirus  try to sell you shit  to protect you when they cant even protect themselves 100% . LOL

 

 

[straycat19]

Quote

these post are from a few days ago  . Did you test old versions  of antivrius to see if its been fixed in those as well . Actuality software products have 3mths grace period to patch exploits  without reporting it to public . They never make the info available tell after its patched .

 

Did you even bother to read your own posts?  If you did you would read that they had been fixed in August and September.  I tested the 2015 versions since those were the ones the flaws were originally found in.  The DARPA study was security software which includes much more than just AV software so you cannot use those comments to say AV software specifically is the source of any vulnerabilities.  They could be saying the linux based firewalls are the source of the vulnerabilities.  Or the linux based code in routers and switches.  Linux isn't the ultra secure software some people think it is, even Torvalds admits that.  

 

[steven36]

11 hours ago, straycat19 said:

 

Linux isn't the ultra secure software some people think it is, even Torvalds admits that.  

 

Why don’t you make up you’re mind ? one post you tell people  how much safer  it is now you say it isn’t .  I never said  it was ultra safe  you did . All I know is i don’t  have use no antiviral program   with it I  just set my browser up to block scripts and ads and  use a firewall and im good . If you  compare it beside windows it is much safer but that would not  take much consternating a lot people consider incl you considerer windows to be spyware .   Linux has mostly clean open source programs  while many  programs in windows are full of spyware and pups . Antivirus is wrote for windows malware  not Linux because no one that’s been on Linux very long needs and Antivirus anyone who says they do  that’s not sharing windows files is a noob that’s still thinking in the windows  realm. 

 

Its  been patched  tell next time  not fixed big difference  .  They patch windows all the time and still you need anti malware on top of that,  also they patch  flash and java  every month  just to roll out more patches  the next month . stuff like flash and java makes Linux not ultra safe thats why I keep  the crap turned off in my browser just like I do when on windows.  They find  0days in windows and software and even security software  and you’re in the dark  tell they fix them . You could well be hacked or infected  by then .

 

The thing was  that the security software vendors  patched this bug without telling anyone it existed  tell after they patched it . AVG never responded Kaspersky waited tell months  latter to comment  on it .  They want make like these things dont exist. And 3 different security softwares that we know of had the same bug that’s bad .

 

Just this year in kapersky alone

1.its been hacked  by isreail

2. they found malware that could attach its self too it .

3. they found this memory page exploit.

 

And people pay money every year for it , even mom does so this concerns  me because they cant protect there own products. It would different if it was just one thing .

When a software can be cracked  it can be exploited because basally all cracking is targeting a weakness.