funsec mailing list archives
Re: Fwd: [rforno () infowarrior org: [Infowarrior] - New attack bypasses virtually all AV protection]
From: Juha-Matti Laurio <juha-matti.laurio () netti fi>
Date: Wed, 12 May 2010 16:25:48 +0300 (EEST)
It appears that F-Secure http://www.f-secure.com/weblog/archives/00001949.html Trend http://countermeasures.trendmicro.eu/you-just-cant-trust-a-drunk/ Sophos http://www.sophos.com/blogs/gc/g/2010/05/11/khobe-vulnerability-game-security-software/ and ESET http://www.eset.com/blog/2010/05/11/khobe-wan-these-arent-the-droids-youre-looking-for have posted their 'is-the-game-over' type response. Juha-Matti Nick FitzGerald [nick () virus-l demon co uk] kirjoitti:
Rich Kulawiec wrote:I'm not qualified to evaluate this research on its technical merits, but I believe that some of you are.It's a race attack against a classic TOCTTOU (pr. "tock-too"; time-of- check-to-time-of-use) vuln. The advisory's authors apparently don't know that terminology, but it's a class of security vulnerability that has been known for about as long as we've known about security vulnerabilities. IIRC (never actually laid eyes on the report myself) this is one of the categories in the (in)famous RISOS Project (Research In Secured Operating Systems) reports from the early 70s. The typical "fix" to avoid such possibilities is use of a critical section (it's why they were invented, I think) or to make special atomic functions that are effeectively chains of "smaller" functions. Neither is reasonable/possible here -- as I understand the advisory, the code that needs protection against this TOCTTOU can be arbitrarily pre-empted by the scheduler and it would (probably) take significant re-architecting of Windows to provide an atomic function for this special anti-malware purpose (and that would have to be made non-pre-emptible). The advisory's authors suggest they have a solution, but they only make that information available to their paying clients. Regards, Nick FitzGerald
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Fwd: [rforno () infowarrior org: [Infowarrior] - New attack bypasses virtually all AV protection] Rich Kulawiec (May 09)
- Re: Fwd: [rforno () infowarrior org: [Infowarrior] - New attack bypasses virtually all AV protection] Nick FitzGerald (May 09)
- <Possible follow-ups>
- Re: Fwd: [rforno () infowarrior org: [Infowarrior] - New attack bypasses virtually all AV protection] Juha-Matti Laurio (May 12)