Matousec: KHOBE – 8.0 earthquake for Windows desktop security software
3 posters
Page 1 of 1
Matousec: KHOBE – 8.0 earthquake for Windows desktop security software
KHOBE – 8.0 earthquake for Windows desktop security software
"In September 2007, we have published an article about a great disease that affected tens of Windows security products. The article called Plague in (security) software drivers revealed awful quality of kernel mode drivers installed by all the major desktop security products for Windows. The revealed problems could cause random system crashes, freezes and in some cases more severe security issues.
Today, we reveal even more serious problem of the Windows desktop security products that can be exploited to bypass a big portion of security features implemented by the affected products. The protection implemented by kernel mode drivers of today's security products can be bypassed effectively by a code running on an unprivileged user account. If you ever heard of SSDT hooks or similar techniques to implement various security features such as products' self-defense, we will show you how to bypass the protection easily..."
nick s- Valued Member
- Posts : 14
Join date : 2010-04-18
Re: Matousec: KHOBE – 8.0 earthquake for Windows desktop security software
Thanks nick. I'm participating more on this in the Sandboxie forums:
http://www.sandboxie.com/phpbb/viewtopic.php?p=51792#51792
http://www.sandboxie.com/phpbb/viewtopic.php?p=51792#51792
Re: Matousec: KHOBE – 8.0 earthquake for Windows desktop security software
Thanks nick,i've reprinted this on bbs.kafan.cn here
several replies got,one of them is made by Flowercode:
i don't know much about tech thing,so maybe i understand/translate in a wrong way.
edit:with a pic
several replies got,one of them is made by Flowercode:
i've read the article...it's so long...
In simple words to say is that there were a problem called Time-of-check-to-time-of-use which TOCTOU for short.
It means that maybe it will be check ok when program passing an argument in to it ,but the parameter could be changed after you checked and ready to use ,and when you start to use it,the parameter is no longer the one you want.
That's why guys work for Microsoft will "try" in the first place when writing code;then ProbeForRead for second;CaptureXxx is third,and there are Critical Section or Raise IRQL before and after important chech steps.
Nowadays engineers writing secure drivers,barely hear about TOCTOU,so don't expect they would pay attention on this.
TOCTOU attack needs a little luck to succeed,with mainstream configuration of PC,if keep attacking maybe succeed within 1 or 2 minutes.
i don't know much about tech thing,so maybe i understand/translate in a wrong way.
edit:with a pic
Last edited by Singlemature on 6/5/2010, 16:26; edited 1 time in total
Singlemature- Valued Member
- Posts : 31
Join date : 2010-04-22
Re: Matousec: KHOBE – 8.0 earthquake for Windows desktop security software
Whatever the case, here's what Ilya (DefenseWall's developer) said:
So there you have it - he's admitted that DefenseWall is bypassed, and implied that it's an important enough of a bypass to fix for the next version of DefenseWall.
I'm guessing the other programs (like Malware Defender, CIS, Online Armor) will also be updating their programs too haha.
Yes, I know about that. The problem will be solved with the 3.02 version of DefenseWall, it's not really hard, but requires carefulness.
So there you have it - he's admitted that DefenseWall is bypassed, and implied that it's an important enough of a bypass to fix for the next version of DefenseWall.
I'm guessing the other programs (like Malware Defender, CIS, Online Armor) will also be updating their programs too haha.
Re: Matousec: KHOBE – 8.0 earthquake for Windows desktop security software
ssj100 wrote:Whatever the case, here's what Ilya (DefenseWall's developer) said:Yes, I know about that. The problem will be solved with the 3.02 version of DefenseWall, it's not really hard, but requires carefulness.
So there you have it - he's admitted that DefenseWall is bypassed, and implied that it's an important enough of a bypass to fix in the next version of DefenseWall.
I'm guessing the other programs (like Malware Defender, CIS, Online Armor) will also be updating their programs too haha.
hehe~well done,thanks for the infor
Singlemature- Valued Member
- Posts : 31
Join date : 2010-04-22
Re: Matousec: KHOBE – 8.0 earthquake for Windows desktop security software
Sounds like Comodo have fixed this vulnerability:
http://forums.comodo.com/news-announcements-feedback-cis/matousec-all-hips-vulnerable-to-a-test-t56086.0.html;msg397440#msg397440
http://forums.comodo.com/news-announcements-feedback-cis/matousec-all-hips-vulnerable-to-a-test-t56086.0.html;msg397440#msg397440
our guys have fixed it...should be a release soon...
Re: Matousec: KHOBE – 8.0 earthquake for Windows desktop security software
Just an update, Ilya is looking to release DefenseWall version 3.03 in the future to fix this vulnerability. Call Matousec what you like, but it seems they have initiated many developers/companies to fix this issue.
Similar topics
» Windows 8 and Security Software
» Matousec 01/25/2011 - Proactive Security Challenge
» Windows 7 Security
» ssj100's Security Setup updated for Windows 7 / 8 x86
» Disable Unneeded Services In Windows add security and performance!
» Matousec 01/25/2011 - Proactive Security Challenge
» Windows 7 Security
» ssj100's Security Setup updated for Windows 7 / 8 x86
» Disable Unneeded Services In Windows add security and performance!
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum
|
|