AVG, McAfee, Kaspersky Antiviruses All Had a Common Bug

An anonymous reader writes: Basic ASLR was not implemented in 3 major antivirus makers, allowing attackers to use the antivirus itself towards attacking Windows PCs. The bug, in layman terms, is: the antivirus would select the same memory address space every time it would run. If attackers found out the memory space's address, they could tell their malicious code to execute in the same space, at the same time, and have it execute with root privileges, which most antivirus have on Windows PCs. It's a basic requirement these days for software programmers to use ASLR (Address Space Layout Randomization) to prevent their code from executing in predictable locations. Affected products: AVG, McAfee, Kaspersky. All "quietly" issued fixes.

Not a major bug

[Anonymous Coward]

ASLR is what you fall back on when all your primary defenses are shot - the equivalent of not closing the blinds rather than leaving a window open.

Re:Not a major bug

[arth1]

Correct. Determinable address space is not a security problem in itself - it requires other security problems to be exploitable. And figuring out what the address space is in real-time is not that hard either; it just makes it harder. It's automated security through obscurity.

In some cases, it is preferable to make it sligtly easier for intruders who are already inside the system, in order to reap the benefits. Programs like "rebase" for Windows and "prelink" for Linux can preload a known address table into executables ahead of time, making them start faster and use less memory, because reallocation does not have to occur at load time.
Especially in an embedded world, that can make a boatload of difference.
Some look for silver bullets and want to impose ASLR (no, not the cameras) and https everywhere, whether needed or not, without considering the price of doing so. TANSTAAFL, and no silver bullets. They all come at a price, and sometimes the price is not right.

Fix the other security problems, and ASLR gives no added value, only drawbacks. But on a badly maintained system running software of dubious security value, sure, it can be a good addition. But make no mistake - it doesn't plug any holes, it just makes existing holes harder to exploit. At a cost.

Re:

[Bengie]

A good implementation of ASLR can add upwards of 40bits of entropy. An average, the application would need to suffer through 549,755,813,888 segfaults before finding the correct address. If you find a process spawning 1,000,000 copies of itself per second, you may want to kill it.

Re:

[arth1]

Except that brute force is not the typical attack vector - attacking other processes that already interface is.

Re:

[Bengie]

I assume that's why they also have stack gap entropy, which is also about 40bits. It's still going to be messy. At least for HardenedBSD, they'd randomized pretty much everything with between 30 and 40bits of entropy. If you make an attack that assumes any addresses at all, it will need to bruteforce the entropy.

Re:

[TheRaven64]

A good implementation of ASLR can add upwards of 40bits of entropy

Given that most existing 64-bit hardware provides a 48-bit virtual address space, which gives the upper bound. Most things that you care about are at least 4-byte aligned, so that eats two, giving you at most 46. The top half of the address space is usually reserved for the OS, giving 45 bits. If you are not randomising within a page (which you can't for memory-mapped code), then that eats another 10 bits, leaving 35 (for performance, you often lose a few more because you're trying to align things for su

Re:

[david_thornley]

A well-maintained system running high-quality software can be pwned also. It's just harder. Another defense measure that doesn't cost too much can be handy.

Re:

[arth1]

A well-maintained system running high-quality software can be pwned also. It's just harder. Another defense measure that doesn't cost too much can be handy.

True. And for most, SLA doesn't cost too much. But for some, it does, which means it, like HTTPS, or background AV scanning, should not be forced down people's throats.

Benefit, cost, detriments and risks all should be weighed, and nothing treated as a "must" or "must not", or considered a bug if not implemented. In some cases, the correct choice is to not implement something.

Re:

[david_thornley]

Certainly. I was pointing out that having an up-to-date well-maintained system isn't a perfect defense, so, depending on the circumstances, additional security measures are a good idea. I don't know much about ASLR implementation, but it doesn't look expensive to me.

Re:

[arth1]

Certainly. I was pointing out that having an up-to-date well-maintained system isn't a perfect defense, so, depending on the circumstances, additional security measures are a good idea. I don't know much about ASLR implementation, but it doesn't look expensive to me.

It is basically incompatible with "prelink", where all binaries on a system are updated with an ELF section containing all the relocation tables for libraries using predefined load addresses. This can save up to 40% startup time for some executables, as well as memory, as an external relocation table doesn't have to be built on startup. Especially on embedded systems which run and exit external programs on-demand, it can be expensive to have to abandon prelinking.

Also on build systems - if you call cc1 an

My what a headline

[chispito]

Let me guess: the bug was somebody set up them the bomb?

Re: My what a headline

[Anonymous Coward]

Affected users are advised to make their time and take off every ZIG.

Re: My what a headline

[jfdavis668]

For great justice

Re:My what a headline

[SeaFox]

I was going to guess there was this one weird trick to solve it that PC repair technicians don't want us to know!

Re:

[jfdavis668]

Nice. 'Course, there's an emacs command to do that.

Shouldn't this be done at the OS level?

[Anonymous Coward]

It seems like this kind of thing should be done by the operating system and not anything the programmer needs to include or even worry about.

Re:Shouldn't this be done at the OS level?

[sexconker]

Windows users can download EMET to do this.
It's from MS and it's free. It lets you force a bunch of shit (like ASLR), lets you set up certificate pinning for websites (trust only certain certs or block specific certs), etc.
https://technet.microsoft.com/... [microsoft.com]

Re:

[cfalcon]

Sigh. Mod parent up pls, this is helpful.

Re:

[Altus]

It could break crappy legacy software that businesses are running from the late 90s and setting up exceptions was considered too much work. This is Microsoft after all. Letting legacy software hold them back is pretty much what they do.

Re:

[KGIII]

Probably because, if they did, you'd complain that it is bloatware and not configurable enough? Just a guess.

Re:

[bloodhawk]

because such settings do and WILL break a lot of stuff. EMET is something that needs to be carefully configured on a case by case basis, it is a great thing to configure and run if you have the skills to do so. Many of the items in it are being integrated into various parts of the OS and applications where they can be easily automatically configured.

Re:

[Aaden42]

Code needs to be written to be ASLR-compatible. For "normal" code, that means just write the code, flip the compiler flag, and don't do anything stupid with function pointers. For code that's trying to be overly tricky (maybe trying to do simulated execution of viral code in a sandbox to determine actual behavior from encrypted polymorphic code), it's not inconceivable that the code might depend on certain libraries and functions being at well-known addresses or within fixed offsets of each other. The mo

Re:

[angel'o'sphere]

It's a naive way of writing code, but there's lots of it out there. Force ASLR on, and it crashes pretty spectacularly.

That is nonsense. ASLR is a function of the loader/linker of dynamic linked libraries. It has nothing to do with compiling the code for it.

The same executable, if loadable at all, will be in fixed lay out on an OS with ASLR disabled and on a random layout if it is enabled, and the executable does not notice any difference.

Next thing to be exploited

[ThatsNotPudding]

...a basic requirement these days for software programmers to use ASLR (Address Space Layout Randomization)...

Want to place your bets that most / all ASLR systems are predictably NOT random in their randomization?

Re:Next thing to be exploited

[Zero__Kelvin]

Which is besides the point. They are basically saying: All that is required to exploit this "weakness" is to already have compromised the system to the degree that you can write to another processes code space! It is another nothing to see here, move along" article, where the person writing it doesn't understand how computers work.

Re:

[angel'o'sphere]

All that is required to exploit this "weakness" is to already have compromised the system to the degree that you can write to another processes code space!
Was wondering the same ... the summary makes no sense at all.

Re:

[cbhacking]

Not *another* process. AV software consumes a ton of untrusted input - that's literally its entire purpose - and sometimes it has security flaws itself. If there's a security bug in AV filters (which isn't actually that uncommon) and ASLR is on, the malicious input can crash your AV software (which may, or may not, bring down your system and require a reboot). If ASLR is off, even for a single binary in the process' address space, though, the malicious input can completely take over your machine.

Re:

[Zero__Kelvin]

How is that any different. Again, this isn't a vulnerability. It doesn't let you in. A vulnerability lets you in, it doesn't let you do things after you get in. That's called a computer program. You need a vulnerability to make use of this. I also need a vulnerability to make use of a shell; that doesn't mean shells are vulnerabilities.

Re:

[Bert64]

ASLR doesn't prevent exploitation, it just makes it more difficult.

Re:

[Bengie]

Security in layer. Passwords and private keys don't prevent exploitation, they just make it harder. You can always break a password or key, they're just more difficult.

Re:

[Zero__Kelvin]

That's correct. Now answer this question. Are passwords vulnerabilities? I mean, if I know the password and can enter it at the correct prompt I can access the system, You know what a bigger vulnerability is? Can you believe the passwords aren't randomized! If someone knows the password, and has the authority to enter it, they can access the system! Can you believe this vulnerability!

Re:

[Zero__Kelvin]

Yeah. You still aren't getting it. It isn't a frigging vulnerability. It makes it more likely that one could find and exploit a vulnerability, but it isn't one in and of itself." That's the frigging point.

Re:

[Aaden42]

Given the (very low) complexity that's possible in bootstrap level shell code before you've found usable libraries, it doesn't take a tremendous amount of randomness to make it intractable to exploit something in an ASLR environment. You might have a handful of usable executable bytes to use. You can't call ANY library code until you find it in memory. Shell code needs to be super simple until it manages to find enough library code to do usable things and possibly load a second stage for itself from some

Re:

[Ed Tice]

It doesn't matter if it's predictable or not as long as it varies from run to run. The most common exploit that ASLR prevents is a stack-smashing buffer-overrun. You send in some data that you manage to get written to the stack. But you can't know a priori what the values will be when sending your data unless you already have some other knowledge of the system. So it's unlikely that you can exploit the buffer overflow. Without ASLR it's easy to know the addresses of system functions and to craft some d

Re:

[DarkOx]

Not always the case. There are for example lots of server applications the create a thread to handle each client. Its not uncommon to be able to overwrite memory on the thread without stepping on the parent process. In many cases the parent process will handle a thread terminating unexpectedly just fine.

If its a thread pool situation you might have issues consuming the pool where a borked thread is not returned to the pool of workers resulting in a DOS but in other situations you really might be able to

Layman's terms?

[JoeyRox]

Looks like engineer terms to me, which is fine since most of us here are engineers.

Question for the programmers

[thegarbz]

ASLR is that something that needs to be coded into programs individually? Is it something that is made available as part of a certain framework (Java, C#)?

I actually thought it was a function of the OS managing running programs. Or do you need to specifically go out of your way to disable it and is this what happened here?

Re:

[slapout]

I was under the impression that it was just a compiler flag you had to add. But I've never used it and could be wrong.

Re:

[cbhacking]

Linker flag, technically, but yes. The compiler produces machine modules which are always at known addresses relative to other parts of the module (but not relative to the address space as a whole), or relative jumps and branches wouldn't work and that would break everything. The linker controls how each module finds the base addresses of other modules. When the OS loads the binary produced by the linker, it can place the modules into memory at addresses controlled by a random mask, and the modules query th

Re:

[Zero__Kelvin]

I was going to explain it to you, then I realized ... [wikipedia.org]

Re:

[thegarbz]

That partially helps, but effectively it says you only need to link to a correct library for it to just work? So back to my question is this something they have gone out of their way to disable or was there a good reason for it?

Re:

[bloodhawk]

more likely they were just lazy or reliant on legacy code that didn't have the compiler flag set or that had some position dependent code. Lazy and not bothering to test it is the most likely scenario.

Re:

[angel'o'sphere]

It is a matter of the OS, loading and linking DLLs or *.so's -- dynamic linked libraries -- at random places in memory. In principle you can still load them at increasing addresses as long as the order is random.

Re:

[arth1]

Compiling position-independent code (-fpic) should be the standard these days, except for specific purposes like bootloaders or hardware controllers.

Once that is done, there really is no need to randomize the load location if the system is otherwise secure. You can, if you see a reason to, but it only buys you some obscurity on an already compromised system, and it comes at a cost. But it's become bandwagon these days, to the point that it's called a "bug" if you don't do it.

Lack of ASLR is not a bug

[mrjb]

Lack of ASLR is not a bug. It's a lacking feature. Arguably, it's the compiler's responsibility to make it happen. Having said that, I find it real hard to get virus infections nowadays. There might be something to this "common sense" thing about not running any software from untrusted sources. That, and user/kernel space separation.

Re:

[cfalcon]

It's harder, but there's pretty constant zero days through browsers still. They usually put themselves on the porno sites so you can say "oh well you shouldn't go to the porno sites", which totally misses the point.

Re:

[arth1]

Religious porn web sites, on the other hand, seem reasonably safe.

Re:

[cfalcon]

I'm still not sure how they get that. It's certainly true that decentralized low security church websites can be owned and stay owned, but... how many people visit them? When a major adult ad network gets compromised, it serves the bad add a zillion billion times before someone catches it- even if they catch it later that same day.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[dejitaru]

Best description of modern AV I've seen...

Re:the biggest problem was the vendor.

[CrashNBrn]

most traffic will grind to a glorious halt while its inspected, detected, and

Don't you mean, "Injected, Inspected, Detected, Infected, Neglected and Selected."
--- Arlo Guthrie.

Re:

[truck_soccer]

I have noticed that several new laptops with expired norton trials would effectively permanently enable airplane mode until a full/clean uninstall.

Re:

[operagost]

All network access has been disabled for your protection until your antivirus is updated... $99 please.

Re:

[Anonymous Coward]

The best security product around for several years now is found at adblockplus.org.

Re:

[Anonymous Coward]

You're lucky that your comment is far enough down the thread that APK didn't notice it. In fact, we're all lucky that APK didn't notice it.

And for the record, I think APK and Coren22 are two personalities of the same schizophrenic person.

Re:

[Kazoo the Clown]

You forgot to mention that fearmongering about threats sells more products. An unscrupulous AV maker could even release malware/worms/viruses into the wild simply to drive more people to buy AV products. How do we know they're not? Conflict of interest, anyone?

That was brought up at Kiwicon a year ago

[SumDog]

This issue was bought up at Kiwicon a year ago. Some pen-tester showed that a majority of anti-virus software doesn't use ASLR. Furthermore, he shows buffer-overflows and other memory errors in most of their scanners! You could infect most systems with the right malformed PDF or JPEG. It just needed to be scanned. The scanners themselves often run as the system user!

Virus scanners are pretty much worse than useless. They're an attack vector.

Re:

[Tharkkun]

This issue was bought up at Kiwicon a year ago. Some pen-tester showed that a majority of anti-virus software doesn't use ASLR. Furthermore, he shows buffer-overflows and other memory errors in most of their scanners! You could infect most systems with the right malformed PDF or JPEG. It just needed to be scanned. The scanners themselves often run as the system user!

Virus scanners are pretty much worse than useless. They're an attack vector.

Apparently that's been solved now which was the whole point of the article.

What do you want to be this was a requirement?

[Grog6]

The same glaring errors seem to indicate incompetence; a Government TLA is a likely source for such things.

Who writes good code at gunpoint? My shit would crash 98% of the time on purpose, lol.

I'm not going to last long under the New Gestapo; probably none of us are.

Use of ASLR and DEP in AV software still lacking..

[Aryeh Goretsky]

Hello,

Last month, anti-malware testing company AV-Test issued a report titled "Self-Protection for Antivirus Software [av-test.org]" in which they looked at the use of ASLR and DEP in 32 different anti-malware programs. Of all these programs, only one had 100% of its files compiled with those protections.

Of course, anti-malware programs usually have their own anti-tamper mechanisms to ensure code and data integrity, but it seems like there's still some ways to go, and even it is still a good idea to make use of addition

Basic ASLR was not implemented ..

[nickweller]

This wouldn't be a problem if the MMU [ucsd.edu] did its job properly ..

Windows 7 already has it

[Billly Gates]

So basically stop using WIndows XP and you won't be impacted

Re:

[hort_wort]

Do people really still run this shit?

Malwarebytes has caught a number of things for me, including blocking things like OpenCandy from installing alongside certain programs I like. I've seen far less gain from installing different AV programs to work with it. Mostly they just slow down or break certain programs. Meh.

Re:

[Anonymous Coward]

How ironic. If you look on Softpedia's Security news section you see that Malwarebytes also had a security bug fixed, just one day earlier: http://news.softpedia.com/news... [softpedia.com]

Re:

[Tharkkun]

Do people really still run this shit?

Malwarebytes has caught a number of things for me, including blocking things like OpenCandy from installing alongside certain programs I like. I've seen far less gain from installing different AV programs to work with it. Mostly they just slow down or break certain programs. Meh.

There will always be cases where another company will discover malware before the one you're currently using. 1 company has to always find it first and the others put out definitions to catch it after that.

Re:Anti-virus

[Rob MacDonald]

ACtually yes corporations actually care about antivirus, Kaspersky is one of the heavy hitters in this regard, and now I have to go verify our half assed implementation is patched. And you can fix stupid with software by locking down and limiting the amount of stupid things mr stupid can do. The fantasy of "no viruses if you have no script and don't visit porn sites" is that, a fantasy that evaporated a long time ago. Those of us tasked with securing windows servers and clients (I'd laugh if it didn't make me die inside) have to deal with real stupid, not theoretical internet stupid.

Re:

[Anonymous Coward]

Kaspersky is known to take marching orders from the FSB. I really wouldn't trust that software any more than I would the trust the "virus" it's meant to prevent.

Re:

[KGIII]

Unless there's something I am unaware of, you have a strange definition of "known." I believe unreliable sources have made some dubious claims but I don't recall anyone providing proof. A quick Google shows a debunked Bloomberg article and a few people who continue to cite it. I'd be curious to read any proof of such. Speculation isn't really proof.

Re:

[KGIII]

So the answer is, I take it, that you have no proof and that you'll believe this without any proof at all. I think they call that "faith" in some spheres. So, it's good that you have faith.

Re:

[Bert64]

As opposed to Microsoft who are known to take marching orders from the NSA?
Unless you actually live in Russia or one of the former soviet countries it's highly unlikely that the FSB cares what you do, so if someone's going to have the keys to spy on you better that it's someone who won't bother to do so.

Re:

[david_thornley]

Depends. Are you a reasonable target for industrial espionage? You might want to consider not using Kaspersky. In my family, some but not all of the Windows boxes are on Kaspersky, so I figure if malware hits more than one computer it's likely to be detected even if one anti-virus doesn't catch it. (Except for the nice new ones, which I presume are tested against all major AV programs.)

Re:

[KGIII]

Certainly true but it is possible to operate a computer safely without a resident, always scanning, AV application *with* Windows. I've done so and used infrequent scanning with MBAM (or others) and had nary a problem and that's not limiting myself to just certain sections of the web. It is being cautious, using least privileges, installing only from trusted sources, and observing network ingress and egress prodigiously - which can be automated, to some extent.

This of course is of no benefit to Mr. Stupid,

Re:

[jrumney]

And you can fix stupid with software by locking down and limiting the amount of stupid things mr stupid can do.

If you define work as stupid, then you've probably succeeded with that IT policy.

Re:

[Anonymous Coward]

There are people who, when the AV software warns them about a known risk, they click "ignore" or "allow" because installing "youtube downloader" to they can steal music from youtube is more important than a secure operating system. Then after getting pwned, they call someone like me to ask why their anti virus software doesn't work. I have to be a proper CSR and tell them that while their AV software might have stopped 10,000 infections, the one that got in was most likely an unknown or new virus and the de

Re:

[Aaden42]

Honestly I'd think the truth would be better at keeping customers.

"You got pwn3d because you clicked the 'pwn me anyways' button when our software tried to save your butt."

versus

"The one time you actually got something legit, our software was too stupid to catch it because oh BTW, signature based malware does bugger all for zero-days or targeted attacks."

Software that's capable of saving me if only I hadn't disabled it is a bit more desirable than software that couldn't have saved me no matter what. The fi

Re:

[fredgiblet]

Yes, but you appear to not be an idiot. Most end-users are idiots.

Re:

[higuita]

Do people still uses windows?! WTF!! :D

Re:

[sexconker]

It should be.

I've never gotten a satisfying explanation of why process X is allowed to overwrite memory belonging to process Y, thus causing Y to do BADSHIT when it jumps to that location.

I've also never gotten a decent explanation as to why stack overflow is still a problem or why process X can heap spray the fuck out of memory and have that shit affect process Y.

The OS should be managing memory. Address locations should be randomized. Memory should be zeroed out upon allocation (or deallocation, or both

Re:

[arth1]

Address locations should be randomized.

Why? If other processes cannot access the address space, what difference does that make? And if other processes can access the address space, you have a bigger problem that you need to fix first.
It's security through obscurity, and it hurts performance for minimal benefits. Anyone in a position to exploit it, is already in so deep that the system must be considered compromised.

Re:

[barbariccow]

Complete fail of virtual memory. 0x800000 should be something different in process A and B, and an OOM when two processes would otherwise have to intersect their memory locations. Virtual memory can map to anywhere, so why is this even an issue?

Re:

[Anne Thwacks]

And we have known this since 1970!

Re:

[sexconker]

Address randomization would still help against physical dumps or exploits at the OS level that would allow processes to peek at memory they shouldn't be able to.
Performance is very minimally impacted.

Re:

[arth1]

Performance is very minimally impacted.

That depends on the applications and systems they run on. In a Windows like setting with monolithic long-lived apps this is true, but in a traditional Unix setting with a myriad of small short-lived apps that call various libraries, the impact of not being able to use pre-built allocation tables can be quite severe, both in terms of startup time and memory usage.
We're talking up to 40% slowdown for some embedded and web applications with lots of callouts to externals, plus the increased memory usage. That

Re:

[Bengie]

If your solution to multi-threading is spinning up more processes, or even threads, you're doing it wrong. The ideal case for a high throughput system is about 2-4 threads per core. Assuming a quad core cpu, about 16 threads. If you have a web server that is using more than 16 threads to serve hundreds of thousands of requests per second, you get your geek card revoked.

Re:

[arth1]

I'm not sure how you got to that from what I wrote. I was talking about systems that spawn short-lived processes as opposed to constantly running them. Processes that might be called daily, not "hundreds of thousands of requests per second".

A high number of processes (or threads) doesn't come into it. A common concept in embedded systems is to avoid resources hanging around, because their usage seldom overlap - you spawn, run, free. Best case, free up the entire job. Worst case, dlclose or let it page

Re:

[sjames]

Not necessarily. Memory randomization is mostly a protection against stack smashing. A common tactic there is send a message over the net that overruns a buffer with random junk, some code, and a fake return address that overwrites the real one on the stack. It's not that hard *IF* the location of the stack is easy to predict. When the receive function returns, it ends up returning to the attacker's code. If that code can depend on the location of various things in the address space, it can then call those

Re:Isn't this the responsibility of the OS?

[mikael]

You do get security enhanced Linux (SELinux). That added things like make files impossible to change (system owned executable files) even for root. But in order install something like the Nvdia device driver blob, you had to disable it, execute the .run file, and then reenable SELinux.

There are also "trusted" UNIX systems which log every file change, modification and permission code.

The idea of shared memory is that the shared memory segment appears as a linear block of memory to the original process that created. Then other processes can request read or read/write access to that memory. The intention is for use with device drivers which need to map a hardware address to the driver address space so it can read/write registers and buffers. Your network driver stores all the received and sent packets in a number of ring buffers. A graphics driver accesses the framebuffer and texture data in a similar way.

Your alternatives are to use TCP/IP sockets or OS managed pipes. Just send down the offset, number of bytes and a pointer to the data that you want to change.

Re:

[Anonymous Coward]

I've never gotten a satisfying explanation of why process X is allowed to overwrite memory belonging to process Y

fork(), exec(), System V shared memory, semaphores. Some scientific applications run much faster on large CC-NUMA machines than they do on clusters of distributed computers, and the processes need to coordinate and/or access memory from "adjacent" processes, typically at the boundaries. Think weather simulations where each process is allocated a grid square and what happens at the square bounda

Re:

[sexconker]

Performance is an issue, sure. It's an extremely minor one with the CPUs we have today, but for most cases I'd say the security benefits are worth the overhead.

Any existing software (that can't/won't be updated to go through the OS for shared memory) could:
A - be white listed by the user
B - be automatically handled by the OS if the OS knows the various threads/processes are part of an overall application or workflow and should have access to each other's shit
C - be allowed to do whatever as long as it does

I guess ignorance isn't bliss after all?

[cbhacking]

I get the feeling that you really don't understand how memory exploits work. You seem to be under a very large number of misconceptions, and to have come to all sorts of wrong conclusions based on them. I hope you haven't misled too many other people with your incorrect views on some of the very basics of how operating systems work. Hopefully the following constitutes a "satisfactory explanation" for you:

process X is allowed to overwrite memory belonging to process Y, thus causing Y to do BADSHIT when it jumps to that location

No, it's not. That hasn't been possible on any mainstream OS for many years (DOS/16-bit Windows, maybe old versions of Mac OS?). I mean, you can do it using debug APIs (on Windows, see things like WriteProcessMemory), but if your code has privileges to debug a high-privilege process it could also just do "BADSHIT" directly. A low-privileged process (which you already have code execution in, if you're talking about calling WriteProcessMemory) can't debug a high-privileged one.

why stack overflow is still a problem

What do you think the silver bullet is for stack overflows, then? Using counted functions is vulnerable to off-by-one errors (or other things that specify the wrong count), integer overflows when creating the buffer (malloc(itemcount * sizeof(Item)) will, for sufficiently large itemcount, produce a tiny buffer that will immediately overflow when written to), and many other risks. The closest thing we have is languages that manage their own buffer lengths and such, like Java, Python, JavaScript, and the (other) .NET languages... and those still have implementation errors that lead to memory corruption sometimes (I'm sure you've noticed that JavaScript engines, in particular, are not fully safe even though JS as a language is supposed to be safe). Managed languages are also still significantly slower than optimized C/C++ code, though the difference isn't nearly as bad as it used to be.

Or do you mean mitigating the overflows with DEP and ASLR? First of all, that's not a guaranteed fix; if the attacker can leak an address from the program to use as an offset baseline, or otherwise determine the ASLR mask, then that protection can be bypassed. Second, that assumes that there aren't any executables which insist on being loaded at known addresses... and as this story shows, we still have a ways to go to achieve that.

why process X can heap spray the fuck out of memory and have that shit affect process Y

It can't, unless process Y is consuming output from process X and writing it into its own memory (for example, an antivirus filter scanning a file that a web browser downloaded and wrote to disk). See first point.

OS should be managing memory

It is, as far as assigning memory to processes goes. Within a process' own address space, "managing memory" is literally 100% of what a computer program does (reading values, changing values, setting values, copying values, testing values, etc.). Well-behaved programs don't care what addresses the OS hands it, but not all programs as well-behaved in this way.

Address locations should be randomized

They are, for modern software... unless that software says it's incompatible with this behavior. Since a lot of old software *is* incompatible with this behavior - see above point - the OS defaults to trusting the software. In the case of the AV vendors mentioned in TFA, that's apparently a mistake, but it's not the fault of the OS for trusting the software you told it to install, it's the developer's fault for not making their software as safe as possible, and your fault for installing software that you can't trust to be safe.

Memory should be zeroed out upon allocation (or deallocation, or both)

Not *really* relevant here, but I'll add

Re:

[sjames]

Not *really* relevant here, but I'll address it anyhow. There's a performance cost to doing this. Normally it doesn't matter, because allocated memory immediately gets overwritten and deallocated memory can't be accessed at all anymore. Why waste the time clearing memory before handing it to the process (which will overwrite whatever you wrote there anyhow)? Some languages do this, but it's one of the reasons those languages are slower than C/C++ (though admittedly usually not a *major* reason).

Zeroing newly allocated memory is actually one of the few valid points. In a modern CPU, the cost to zero a page is quite small and makes sure no information leaks from one process to another. That must be handled by the OS since you can't use the honor system for other people's code. For example, an unprivileged (but authorized) user could write a program that does nothing but mmap and munmap anonymous pages. If the mmap-ed pages are not zeroed prior tyo mapping them in, the unprivileged program can scan i

Re:

[david_thornley]

That's why Heartbleed was bad: the allocated memory wasn't zeroed before use. Using calloc() (which zeroes allocated memory) rather than malloc() which doesn't) would have made it much more difficult or impossible to exploit the basic flaw.

Re:

[cbhacking]

Incorrect.

Heartbleed wasn't exposing memory from other processes, it was exposing memory from the address space of the vulnerable process. The data leaked in Heartbleed attacks was all data that the program had put into memory itself. For example, if you create a HTTP request to a login page, and populate it with credentials, and then try to send it over an HTTPS connection using OpenSSL for the TLS, that request (with its plain-text credentials) could be leaked out of memory by Heartbleed. Similarly, OpenS

Re:

[david_thornley]

IIRC, Heartbleed was a matter of saying "If you're a server, send me back the word 'cat', 1000 characters", after which the server would malloc 1000 bytes, put "cat" and possibly a terminating null character in the first three or four, and send it back. The other 996 or 997 bytes would be whatever was left in that memory. Rinse and repeat until you've got all the stuff you need. I don't remember there being anything like normal buffer overread. Therefore, zeroing out the kilochar would have zeroed out

Re:

[cbhacking]

My bad, you are correct. The OS does actually clear memory when it is newly allocated to a program (or possibly when it is released; I'm not sure). That would, otherwise, be a huge security risk.

There's no need to clear memory each time memory is re-allocated *within* a program, though, except as a debugging technique (detecting the use of uninitialized memory), for which a distinctive pattern is usually used instead of simply zeroing the data. Memory managers usually handle many allocations smaller than fu

Re:

[sjames]

Agreed, uncleared memory from the heap can only tell the program what it already knew.

Re:

[sjames]

I think you have a few misconceptions there. No modern OS allows process X to overwrite process Y's memory unless it has a serious bug or it's a special purpose embedded OS (generally running on a tiny machine). Each process has it's own address space It may ask that the OS map free memory into it or it can ask for files (such as libraries) to be mapped into it. It can choose the address itself or it can leave the OS free to pick a location.

The porocess can either leave itself unprotected from stack opverfl

Re:

[cbhacking]

Unless your code assumes that a given function is always loaded at address 0x004006AE, or something stupid like that. Which older software sometimes does, so Microsoft had to make ASLR opt-in by default. Except some *new* software is still not opting in, despite it being the default on Microsoft's linker for the last 5 versions or so.

You can use Microsoft's free tool EMET to force a program to use ASLR, and some Windows programs are now always forced to act this way by default. ASLR applies to DLLs and othe

Re:

[Anonymous Coward]

You could always go buy a gun and some bullets, load the gun, and fire it directly into the side of your skull, since that is likely to be the only thing you'd be any good at. - Your mom.

Re:

[Kazoo the Clown]

For the most part, by the time an AV vendor is able to add a check for a new vulnerability, it's too late, the damage has already been done. So then you end up carrying around thousands of checks for old viruses from then on, and you wonder why performance slowly grinds to a halt. Do everything risky in an expendable VM.