New McAfee software
Enterprise users can install a newer version of 8.8, if they use EPO to remove the old and install the new
Kaspersky, McAfee, and AVG all vulnerable to major flaw
Some of the biggest names in the security software business have been compromised by a serious flaw that could allow a hacker to use the commercial security code to infiltrate computers. In March, researchers at security firm enSilo found a serious flaw in popular free antivirus engine AVG Internet Security 2015. They found …
-
-
Thursday 10th December 2015 08:36 GMT Sandtitz
Re: Here, have a fix @nilfs2
Man, you forgot the troll badge! And you should - by default - start doling out HTTPS URIs.
A fix for all known known, known unknown, and unknown unknown Linux malware and vulnerabilities, https://www.microsoft.com
-
Thursday 10th December 2015 12:44 GMT Anonymous Coward
Re: Here, have a fix
"A fix for all known and unknown Windows viruses and vulnerabilities, http://www.debian.org"
There's some particularly insidious malware affecting many Debian systems:
https://en.wikipedia.org/wiki/Systemd
Joking aside, there seem to be a lot of quasi-religious posts evangelising the poster's favourite OS here on El Reg. This gets tiresome and is out of place on a tech forum where I assume most readers are well informed enough to choose an OS that meets their requirements. (Speaking as an OS-agnostic Debian user since the '90s).
-
Thursday 10th December 2015 13:51 GMT Chika
Re: Here, have a fix
systemd? That isn't restricted to Debian systems either. And I'm not joking. Why can't they arrest the perp and have done with it?!?
Agreed. I use different systems to do different things. I may give Linux advice in some of these threads but each OS has its strengths and flaws and I prefer to judge them realistically rather than evangelise.
Besides, RISC OS kicks the crap out of all of them... ;)
-
-
-
Thursday 10th December 2015 04:32 GMT Notas Badoff
Re: "This code has been deleted by a exploiter"
Perhaps it was a description of the exact flaws, or link to such?
Having read the article only once, am I to understand that at least three or more AV companies - in their separate amazing and patentable software development - all came up with code so similar the same exploit techniques would work for each?
Can we please use this phantasmagoric occurrence as yet another example that s/w 'genius' ain't necessarily unique, or code patentable? Instead of these companies playing patent gotcha against each other with their code, the exploit showed the illusion behind the claims of uniqueness.
-
-
Friday 11th December 2015 18:12 GMT Michael Wojcik
Re: "This code has been deleted by a exploiter"
Reads more like it's a common error, to me.
Same thing, innit? That is, the original point was that if you find the same vulnerability in similar products from three vendors, that suggests software developers tend to keep reinventing the same bug-wheels.
I have a vague memory of a study that showed similar results when multiple teams are given the task of implementing the same system in parallel. That technique is sometimes recommended for producing fault-tolerant software, on the assumption that, say, three different implementations will have different bugs, and so won't all fail the same way on the same input. But the study found that the independent groups tended to make similar mistakes.
By the way, Ormandy's blog post that's linked from the article is worth a quick read, like pretty much all of his vulnerability analyses.
-
-
-
-
Thursday 10th December 2015 13:55 GMT Chika
I wondered how several products had the same flaw. Intel owns them. There's the answer.
Are you sure that was what you meant? I suspect that you probably meant that the code developed that way because of the product they were designed for, that being the Intel processor based system. Mind you, even that's clutching a bit...
-
Thursday 10th December 2015 07:35 GMT Ken Moorhouse
Predictable
By virtue of all programs running under a host Operating System it is possible to work out what resources are being used where - Sysinternals has been demonstrating this for years. The vulnerability is surely in the ability of the OS to be coaxed into allowing another program to write to the same memory area, or to allow a process not under its control to shunt memory to another location and back again.
The contra to that is presumably for the AV program to repeatedly checksum memory (in an internal proprietary way) that it uses either for transient or ongoing usage. Yes this will impact performance, but being the nature of AV programs they have to start from the premise of paranoia. How else can an AV program detect that it is running within a Rootkit shell?
-
Thursday 10th December 2015 10:58 GMT phuzz
Re: Predictable
There's two things they could do to minimise the risk. One, use ASLR or a similar tech to make sure that the allocated memory is not at a predictable address. The second is to minimise how much memory is marked as readable/writeable/executable (a bit like not having everything chmod'ed to 777 on linux).
-
Friday 11th December 2015 18:17 GMT Michael Wojcik
Re: Predictable
One, use ASLR or a similar tech to make sure that the allocated memory is not at a predictable address.
Read Ormandy's blog post. Kaspersky was using ASLR.
Unfortunately ASLR is pretty easy to defeat in most cases. There's a ton of information available on this topic in the BUGTRAQ archives and the like. That doesn't mean it's not worth using, particularly since it's generally a link-time option and requires epsilon-effort from the developer, but it doesn't actually offer much protection.
The second is to minimise how much memory is marked as readable/writeable/executable (a bit like not having everything chmod'ed to 777 on linux).
Critically, in Kaspersky's case, they weren't using non-executable stack (again per Ormandy's blog). Of course many stack-smashing exploits work even with non-executable stack, using ROP and similar techniques. But again this is usually easy to turn on (if it's available at all for the platform you're using) and generally worth doing, unless you have special requirements.
-
-
-
-
-
Thursday 10th December 2015 13:19 GMT Roo
"Given up using a computer and/or internet then have we?"
Give that you are replying to a post on the internet I suspect that's not the case. The OP could be using an OS that doesn't require an AV product to detect infection... These do exist and amazingly they did exist before the Internet too, you don't even have to believe me you can read about them in thousands of papers published in the 60s, 70s, 80s, 90s, 00s and even the '10s. :)
Even on Windows boxes AV still isn't a requirement - it's a "nice to have" for people who don't wish to invest their time in good security practice & backups - ie: people who trade security for convenience.
-
Thursday 10th December 2015 14:11 GMT Anonymous Coward
Well obviously :-) and of course he might be using a machine that has no (to my knowledge) third party offering (such as an iPad). But, although good security (if you want to go beyond an air gap and trust everyone with access to the machines) is not just a matter of good practice (sans AV) and backup. AV products do have their uses (and as we have seen, their own vulnerabilities).
Of course there are machines from the past that are difficult/impossible to corrupt, through design or simple limitations. I remember visiting a US DoD site in the 80s where I was amazed about the number of Macs (all running pre OSX) littering the place. Security was the reason given - obscurity and the multithreaded design.
Using an older machine to do much that most people would describe as useful on the net today (including posting to the reg) requires something a little more up to date than EMA though.....
-
Friday 11th December 2015 15:08 GMT Anonymous Coward
for people who don't wish to invest their time in good security practice & backups
I already do, hence no requirement of AV. AV is for the "download and run anything from anywhere" type of people. That is not me.
My chosen OS vendor provides the binaries for nearly all the software I require, ensuring no viruses or "PUPs" or other bundled shit. The rest is from trusted repositories.
I also back-up my configs and "home" directory (well, I don't personally - it's automatic). No need to back-up the OS.
Anti-virus is a band-aid for people who don't follow good security/backup practices.
-
-
-
-
-
This post has been deleted by its author
-
Biting the hand that feeds IT
