Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Bug Software

AVG, McAfee, Kaspersky Antiviruses All Had a Common Bug (softpedia.com) 132

An anonymous reader writes: Basic ASLR was not implemented in 3 major antivirus makers, allowing attackers to use the antivirus itself towards attacking Windows PCs. The bug, in layman terms, is: the antivirus would select the same memory address space every time it would run. If attackers found out the memory space's address, they could tell their malicious code to execute in the same space, at the same time, and have it execute with root privileges, which most antivirus have on Windows PCs. It's a basic requirement these days for software programmers to use ASLR (Address Space Layout Randomization) to prevent their code from executing in predictable locations. Affected products: AVG, McAfee, Kaspersky. All "quietly" issued fixes.
This discussion has been archived. No new comments can be posted.

AVG, McAfee, Kaspersky Antiviruses All Had a Common Bug

Comments Filter:
  • Not a major bug (Score:3, Interesting)

    by Anonymous Coward on Thursday December 10, 2015 @02:00PM (#51096127)

    ASLR is what you fall back on when all your primary defenses are shot - the equivalent of not closing the blinds rather than leaving a window open.

    • Re:Not a major bug (Score:5, Informative)

      by arth1 ( 260657 ) on Thursday December 10, 2015 @02:42PM (#51096403) Homepage Journal

      Correct. Determinable address space is not a security problem in itself - it requires other security problems to be exploitable. And figuring out what the address space is in real-time is not that hard either; it just makes it harder. It's automated security through obscurity.

      In some cases, it is preferable to make it sligtly easier for intruders who are already inside the system, in order to reap the benefits. Programs like "rebase" for Windows and "prelink" for Linux can preload a known address table into executables ahead of time, making them start faster and use less memory, because reallocation does not have to occur at load time.
      Especially in an embedded world, that can make a boatload of difference.
      Some look for silver bullets and want to impose ASLR (no, not the cameras) and https everywhere, whether needed or not, without considering the price of doing so. TANSTAAFL, and no silver bullets. They all come at a price, and sometimes the price is not right.

      Fix the other security problems, and ASLR gives no added value, only drawbacks. But on a badly maintained system running software of dubious security value, sure, it can be a good addition. But make no mistake - it doesn't plug any holes, it just makes existing holes harder to exploit. At a cost.

      • by Bengie ( 1121981 )
        A good implementation of ASLR can add upwards of 40bits of entropy. An average, the application would need to suffer through 549,755,813,888 segfaults before finding the correct address. If you find a process spawning 1,000,000 copies of itself per second, you may want to kill it.
        • by arth1 ( 260657 )

          Except that brute force is not the typical attack vector - attacking other processes that already interface is.

          • by Bengie ( 1121981 )
            I assume that's why they also have stack gap entropy, which is also about 40bits. It's still going to be messy. At least for HardenedBSD, they'd randomized pretty much everything with between 30 and 40bits of entropy. If you make an attack that assumes any addresses at all, it will need to bruteforce the entropy.
        • A good implementation of ASLR can add upwards of 40bits of entropy

          Given that most existing 64-bit hardware provides a 48-bit virtual address space, which gives the upper bound. Most things that you care about are at least 4-byte aligned, so that eats two, giving you at most 46. The top half of the address space is usually reserved for the OS, giving 45 bits. If you are not randomising within a page (which you can't for memory-mapped code), then that eats another 10 bits, leaving 35 (for performance, you often lose a few more because you're trying to align things for su

      • A well-maintained system running high-quality software can be pwned also. It's just harder. Another defense measure that doesn't cost too much can be handy.

        • by arth1 ( 260657 )

          A well-maintained system running high-quality software can be pwned also. It's just harder. Another defense measure that doesn't cost too much can be handy.

          True. And for most, SLA doesn't cost too much. But for some, it does, which means it, like HTTPS, or background AV scanning, should not be forced down people's throats.

          Benefit, cost, detriments and risks all should be weighed, and nothing treated as a "must" or "must not", or considered a bug if not implemented. In some cases, the correct choice is to not implement something.

          • Certainly. I was pointing out that having an up-to-date well-maintained system isn't a perfect defense, so, depending on the circumstances, additional security measures are a good idea. I don't know much about ASLR implementation, but it doesn't look expensive to me.

            • by arth1 ( 260657 )

              Certainly. I was pointing out that having an up-to-date well-maintained system isn't a perfect defense, so, depending on the circumstances, additional security measures are a good idea. I don't know much about ASLR implementation, but it doesn't look expensive to me.

              It is basically incompatible with "prelink", where all binaries on a system are updated with an ELF section containing all the relocation tables for libraries using predefined load addresses. This can save up to 40% startup time for some executables, as well as memory, as an external relocation table doesn't have to be built on startup. Especially on embedded systems which run and exit external programs on-demand, it can be expensive to have to abandon prelinking.

              Also on build systems - if you call cc1 an

  • by chispito ( 1870390 ) on Thursday December 10, 2015 @02:01PM (#51096149)
    Let me guess: the bug was somebody set up them the bomb?
  • by Anonymous Coward
    It seems like this kind of thing should be done by the operating system and not anything the programmer needs to include or even worry about.
    • by sexconker ( 1179573 ) on Thursday December 10, 2015 @02:18PM (#51096243)

      Windows users can download EMET to do this.
      It's from MS and it's free. It lets you force a bunch of shit (like ASLR), lets you set up certificate pinning for websites (trust only certain certs or block specific certs), etc.
      https://technet.microsoft.com/... [microsoft.com]

      • by cfalcon ( 779563 )

        Sigh. Mod parent up pls, this is helpful.

    • by Aaden42 ( 198257 )

      Code needs to be written to be ASLR-compatible. For "normal" code, that means just write the code, flip the compiler flag, and don't do anything stupid with function pointers. For code that's trying to be overly tricky (maybe trying to do simulated execution of viral code in a sandbox to determine actual behavior from encrypted polymorphic code), it's not inconceivable that the code might depend on certain libraries and functions being at well-known addresses or within fixed offsets of each other. The mo

      • It's a naive way of writing code, but there's lots of it out there. Force ASLR on, and it crashes pretty spectacularly.

        That is nonsense. ASLR is a function of the loader/linker of dynamic linked libraries. It has nothing to do with compiling the code for it.

        The same executable, if loadable at all, will be in fixed lay out on an OS with ASLR disabled and on a random layout if it is enabled, and the executable does not notice any difference.

  • by ThatsNotPudding ( 1045640 ) on Thursday December 10, 2015 @02:07PM (#51096191)

    ...a basic requirement these days for software programmers to use ASLR (Address Space Layout Randomization)...

    Want to place your bets that most / all ASLR systems are predictably NOT random in their randomization?

    • by Zero__Kelvin ( 151819 ) on Thursday December 10, 2015 @02:32PM (#51096325) Homepage
      Which is besides the point. They are basically saying: All that is required to exploit this "weakness" is to already have compromised the system to the degree that you can write to another processes code space! It is another nothing to see here, move along" article, where the person writing it doesn't understand how computers work.
      • All that is required to exploit this "weakness" is to already have compromised the system to the degree that you can write to another processes code space!
        Was wondering the same ... the summary makes no sense at all.

      • Not *another* process. AV software consumes a ton of untrusted input - that's literally its entire purpose - and sometimes it has security flaws itself. If there's a security bug in AV filters (which isn't actually that uncommon) and ASLR is on, the malicious input can crash your AV software (which may, or may not, bring down your system and require a reboot). If ASLR is off, even for a single binary in the process' address space, though, the malicious input can completely take over your machine.

        • How is that any different. Again, this isn't a vulnerability. It doesn't let you in. A vulnerability lets you in, it doesn't let you do things after you get in. That's called a computer program. You need a vulnerability to make use of this. I also need a vulnerability to make use of a shell; that doesn't mean shells are vulnerabilities.
        • by Bert64 ( 520050 )

          ASLR doesn't prevent exploitation, it just makes it more difficult.

          • by Bengie ( 1121981 )
            Security in layer. Passwords and private keys don't prevent exploitation, they just make it harder. You can always break a password or key, they're just more difficult.
            • That's correct. Now answer this question. Are passwords vulnerabilities? I mean, if I know the password and can enter it at the correct prompt I can access the system, You know what a bigger vulnerability is? Can you believe the passwords aren't randomized! If someone knows the password, and has the authority to enter it, they can access the system! Can you believe this vulnerability!
    • by Aaden42 ( 198257 )

      Given the (very low) complexity that's possible in bootstrap level shell code before you've found usable libraries, it doesn't take a tremendous amount of randomness to make it intractable to exploit something in an ASLR environment. You might have a handful of usable executable bytes to use. You can't call ANY library code until you find it in memory. Shell code needs to be super simple until it manages to find enough library code to do usable things and possibly load a second stage for itself from some

    • It doesn't matter if it's predictable or not as long as it varies from run to run. The most common exploit that ASLR prevents is a stack-smashing buffer-overrun. You send in some data that you manage to get written to the stack. But you can't know a priori what the values will be when sending your data unless you already have some other knowledge of the system. So it's unlikely that you can exploit the buffer overflow. Without ASLR it's easy to know the addresses of system functions and to craft some d
      • by DarkOx ( 621550 )

        Not always the case. There are for example lots of server applications the create a thread to handle each client. Its not uncommon to be able to overwrite memory on the thread without stepping on the parent process. In many cases the parent process will handle a thread terminating unexpectedly just fine.

        If its a thread pool situation you might have issues consuming the pool where a borked thread is not returned to the pool of workers resulting in a DOS but in other situations you really might be able to

  • Looks like engineer terms to me, which is fine since most of us here are engineers.
  • ASLR is that something that needs to be coded into programs individually? Is it something that is made available as part of a certain framework (Java, C#)?

    I actually thought it was a function of the OS managing running programs. Or do you need to specifically go out of your way to disable it and is this what happened here?

    • by slapout ( 93640 )

      I was under the impression that it was just a compiler flag you had to add. But I've never used it and could be wrong.

      • Linker flag, technically, but yes. The compiler produces machine modules which are always at known addresses relative to other parts of the module (but not relative to the address space as a whole), or relative jumps and branches wouldn't work and that would break everything. The linker controls how each module finds the base addresses of other modules. When the OS loads the binary produced by the linker, it can place the modules into memory at addresses controlled by a random mask, and the modules query th

    • I was going to explain it to you, then I realized ... [wikipedia.org]
      • That partially helps, but effectively it says you only need to link to a correct library for it to just work? So back to my question is this something they have gone out of their way to disable or was there a good reason for it?

        • more likely they were just lazy or reliant on legacy code that didn't have the compiler flag set or that had some position dependent code. Lazy and not bothering to test it is the most likely scenario.
    • It is a matter of the OS, loading and linking DLLs or *.so's -- dynamic linked libraries -- at random places in memory. In principle you can still load them at increasing addresses as long as the order is random.

  • by mrjb ( 547783 ) on Thursday December 10, 2015 @02:27PM (#51096309)
    Lack of ASLR is not a bug. It's a lacking feature. Arguably, it's the compiler's responsibility to make it happen. Having said that, I find it real hard to get virus infections nowadays. There might be something to this "common sense" thing about not running any software from untrusted sources. That, and user/kernel space separation.
    • by cfalcon ( 779563 )

      It's harder, but there's pretty constant zero days through browsers still. They usually put themselves on the porno sites so you can say "oh well you shouldn't go to the porno sites", which totally misses the point.

  • by account_deleted ( 4530225 ) on Thursday December 10, 2015 @02:28PM (#51096311)
    Comment removed based on user account deletion
    • Best description of modern AV I've seen...
    • by CrashNBrn ( 1143981 ) on Thursday December 10, 2015 @02:47PM (#51096435)

      most traffic will grind to a glorious halt while its inspected, detected, and

      Don't you mean, "Injected, Inspected, Detected, Infected, Neglected and Selected."
      --- Arlo Guthrie.

    • I have noticed that several new laptops with expired norton trials would effectively permanently enable airplane mode until a full/clean uninstall.
      • All network access has been disabled for your protection until your antivirus is updated... $99 please.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      The best security product around for several years now is found at adblockplus.org.

      • by Anonymous Coward

        You're lucky that your comment is far enough down the thread that APK didn't notice it. In fact, we're all lucky that APK didn't notice it.

        And for the record, I think APK and Coren22 are two personalities of the same schizophrenic person.

    • You forgot to mention that fearmongering about threats sells more products. An unscrupulous AV maker could even release malware/worms/viruses into the wild simply to drive more people to buy AV products. How do we know they're not? Conflict of interest, anyone?
  • by SumDog ( 466607 ) on Thursday December 10, 2015 @02:42PM (#51096399) Homepage Journal

    This issue was bought up at Kiwicon a year ago. Some pen-tester showed that a majority of anti-virus software doesn't use ASLR. Furthermore, he shows buffer-overflows and other memory errors in most of their scanners! You could infect most systems with the right malformed PDF or JPEG. It just needed to be scanned. The scanners themselves often run as the system user!

    Virus scanners are pretty much worse than useless. They're an attack vector.

    • This issue was bought up at Kiwicon a year ago. Some pen-tester showed that a majority of anti-virus software doesn't use ASLR. Furthermore, he shows buffer-overflows and other memory errors in most of their scanners! You could infect most systems with the right malformed PDF or JPEG. It just needed to be scanned. The scanners themselves often run as the system user!

      Virus scanners are pretty much worse than useless. They're an attack vector.

      Apparently that's been solved now which was the whole point of the article.

  • The same glaring errors seem to indicate incompetence; a Government TLA is a likely source for such things.

    Who writes good code at gunpoint? My shit would crash 98% of the time on purpose, lol.

    I'm not going to last long under the New Gestapo; probably none of us are.

  • Hello,

    Last month, anti-malware testing company AV-Test issued a report titled "Self-Protection for Antivirus Software [av-test.org]" in which they looked at the use of ASLR and DEP in 32 different anti-malware programs. Of all these programs, only one had 100% of its files compiled with those protections.

    Of course, anti-malware programs usually have their own anti-tamper mechanisms to ensure code and data integrity, but it seems like there's still some ways to go, and even it is still a good idea to make use of addition

  • This wouldn't be a problem if the MMU [ucsd.edu] did its job properly ..
  • So basically stop using WIndows XP and you won't be impacted

Do you suffer painful hallucination? -- Don Juan, cited by Carlos Casteneda

Working...