Matousec: KHOBE – 8.0 earthquake for Windows desktop security software

View previous topic View next topic Go down

Matousec: KHOBE – 8.0 earthquake for Windows desktop security software

Post by nick s on 6/5/2010, 08:57

KHOBE – 8.0 earthquake for Windows desktop security software

"In September 2007, we have published an article about a great disease that affected tens of Windows security products. The article called Plague in (security) software drivers revealed awful quality of kernel mode drivers installed by all the major desktop security products for Windows. The revealed problems could cause random system crashes, freezes and in some cases more severe security issues.

Today, we reveal even more serious problem of the Windows desktop security products that can be exploited to bypass a big portion of security features implemented by the affected products. The protection implemented by kernel mode drivers of today's security products can be bypassed effectively by a code running on an unprivileged user account. If you ever heard of SSDT hooks or similar techniques to implement various security features such as products' self-defense, we will show you how to bypass the protection easily..."

nick s
Valued Member
Valued Member

Posts : 14
Join date : 2010-04-18

View user profile

Back to top Go down

Re: Matousec: KHOBE – 8.0 earthquake for Windows desktop security software

Post by ssj100 on 6/5/2010, 09:45

Thanks nick. I'm participating more on this in the Sandboxie forums:
http://www.sandboxie.com/phpbb/viewtopic.php?p=51792#51792

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Matousec: KHOBE – 8.0 earthquake for Windows desktop security software

Post by Singlemature on 6/5/2010, 14:54

Thanks nick,i've reprinted this on bbs.kafan.cn here
several replies got,one of them is made by Flowercode:
i've read the article...it's so long...
In simple words to say is that there were a problem called Time-of-check-to-time-of-use which TOCTOU for short.

It means that maybe it will be check ok when program passing an argument in to it ,but the parameter could be changed after you checked and ready to use ,and when you start to use it,the parameter is no longer the one you want.

That's why guys work for Microsoft will "try" in the first place when writing code;then ProbeForRead for second;CaptureXxx is third,and there are Critical Section or Raise IRQL before and after important chech steps.

Nowadays engineers writing secure drivers,barely hear about TOCTOU,so don't expect they would pay attention on this.

TOCTOU attack needs a little luck to succeed,with mainstream configuration of PC,if keep attacking maybe succeed within 1 or 2 minutes.

i don't know much about tech thing,so maybe i understand/translate in a wrong way.


edit:with a pic


Last edited by Singlemature on 6/5/2010, 16:26; edited 1 time in total

Singlemature
Valued Member
Valued Member

Posts : 31
Join date : 2010-04-22

View user profile

Back to top Go down

Re: Matousec: KHOBE – 8.0 earthquake for Windows desktop security software

Post by ssj100 on 6/5/2010, 15:35

Whatever the case, here's what Ilya (DefenseWall's developer) said:

Yes, I know about that. The problem will be solved with the 3.02 version of DefenseWall, it's not really hard, but requires carefulness.

So there you have it - he's admitted that DefenseWall is bypassed, and implied that it's an important enough of a bypass to fix for the next version of DefenseWall.

I'm guessing the other programs (like Malware Defender, CIS, Online Armor) will also be updating their programs too haha.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Matousec: KHOBE – 8.0 earthquake for Windows desktop security software

Post by Singlemature on 6/5/2010, 15:42

ssj100 wrote:Whatever the case, here's what Ilya (DefenseWall's developer) said:

Yes, I know about that. The problem will be solved with the 3.02 version of DefenseWall, it's not really hard, but requires carefulness.

So there you have it - he's admitted that DefenseWall is bypassed, and implied that it's an important enough of a bypass to fix in the next version of DefenseWall.

I'm guessing the other programs (like Malware Defender, CIS, Online Armor) will also be updating their programs too haha.

hehe~well done,thanks for the infor

Singlemature
Valued Member
Valued Member

Posts : 31
Join date : 2010-04-22

View user profile

Back to top Go down

Re: Matousec: KHOBE – 8.0 earthquake for Windows desktop security software

Post by ssj100 on 18/5/2010, 12:37

Sounds like Comodo have fixed this vulnerability:
http://forums.comodo.com/news-announcements-feedback-cis/matousec-all-hips-vulnerable-to-a-test-t56086.0.html;msg397440#msg397440

our guys have fixed it...should be a release soon...

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Matousec: KHOBE – 8.0 earthquake for Windows desktop security software

Post by ssj100 on 6/6/2010, 02:05

Just an update, Ilya is looking to release DefenseWall version 3.03 in the future to fix this vulnerability. Call Matousec what you like, but it seems they have initiated many developers/companies to fix this issue.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Matousec: KHOBE – 8.0 earthquake for Windows desktop security software

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum