Google Found Disastrous Symantec and Norton Vulnerabilities That Are 'As Bad As It Gets' (fortune.com) 113
Google's Project Zero team has discovered a heap of critical vulnerabilities in Symantec and Norton security products. The flaws, the team says, allow hackers to completely compromise people's machines by simply sending them malicious self-replicating code through unopened emails or un-clicked links. According to a Fortune report, the vulnerabilities affect millions of people who run the company's endpoint security and antivirus software -- all 17 enterprise products (Symantec brand) and eight consumer and small business products (Norton brand). Dan Goodin, reporting for Ars Technica:The flaws reside in the engine the products use to reverse the compression tools malware developers use to conceal their malicious payloads. The unpackers work by parsing code contained in files before they're allowed to be downloaded or executed. Because Symantec runs the unpackers directly in the operating system kernel, errors can allow attackers to gain complete control over the vulnerable machine. Tavis Ormandy, a researcher with Google's Project Zero, said a better design would be for unpackers to run in a security "sandbox," which isolates untrusted code from sensitive parts of an operating system.
yet more poor design. (Score:1)
Putting anti-virus anything in a kernel is down right stupid.
Re:yet more poor design. (Score:5, Insightful)
They need to hijack all network and file operations, so they do need hooks in the kernel. But these should be minimal, passing the data down to a sandbox without even peeking inside. The fact data that is *expected to be malicious* is allowed to interact directly with kernel level code is definitely FUBAR.
Re:yet more poor design. (Score:5, Insightful)
They need to hijack all network and file operations, so they do need hooks in the kernel. But these should be minimal, passing the data down to a sandbox without even peeking inside. The fact data that is *expected to be malicious* is allowed to interact directly with kernel level code is definitely FUBAR.
That is a good point.
Obviously they do need to be in the kernel to check the operations, but the way you have broken it down makes a lot more sense than actually parsing items that are suspected of being malicious in kernel mode.
Pretty sad when convenience trumps security even in a security product.
Re:yet more poor design. (Score:5, Informative)
The 'real kernel' still needs to pass it down into the VM from physical media for processing. And the VM would need to be supervised by the host, not just launched and forgotten - the sandboxing won't help much if the virus hijacks the sandbox, and makes it pass everything through as 'clean' regardless of the content - the host needs to constantly monitor integrity of the checking process.
There are 'jailbreak' attacks that allow escaping VM sandbox and infecting the host, but they are difficult and rare.
Re: (Score:2)
Yes, unless the attacker is prepared for this. They won't attempt jailbreak if they are not aware they are on VM (plus it IS difficult), and with the right setup the kernel will pass data to VM pretty much transparently - IF the traffic is directed at the VM. Not quite the case if the traffic is directed at the host, and the kernel squeezes it into VM regardless (though still possible to do safely).
Plus the only thing that goes back to host from the VM is display, and well-encapsulated I/O to be passed thro
Re: (Score:2)
Not always viable, but that point is a very weak point anyway. The host's kernel *can* pass all traffic transparently to VM and never be at risk. It just needs to be done, no challenge here.The challenge is assuring the sandboxed environment isn't hijacked - the same way currently the root's environment is being hijacked. While the hijack would be unable to escape the sanbox by itself (or at least only with great difficulty), it can infect the "clean" uplink, and infect the host with other malware (albeit o
Re: (Score:1)
Re: (Score:2)
Setting up a sandbox is a one-time deal on startup. Giving the process a preferential treatment in the scheduler is viable approach; another is to bypass the whole heavyweight system of accounts and authentication and carve your own sandbox from scratch, a separate, minimal subsystem of lowered privileges, a'la VM.
Re: (Score:2)
You probably need to recreate the sandbox each time (or at least at some frequency) because you can't tell if the sandbox has been corrupted by the malicious code. Trying to bypass the accounts & authentication just punches more holes in the OS.
It's not an easy problem, especially if you are concerned about speed.
Re: (Score:2)
You MUST be monitoring the sandbox to tell if it's been corrupted by malicious code. Otherwise the whole scheme crashes and burns, as the attacker hijacks the sandbox and infects the clean uplink. And that can take a very short time, so "periodic re-creation of sandbox" is not a solution. Tight monitoring a'la running in a debugger is the way.
Of course in case the sandbox is corrupted, it would need to be re-created, but that *hopefully* wouldn't be too frequent.
Re: (Score:2)
Imagine taking the hit for moving between kernel space and user space and setting up a sandbox.
Sandboxing can be minimal in user space, and anyway only needs to be done once. There shouldn't be any performance hit for doing the parsing work in user space - you don't have to copy the data around or anything, just arrange for the user-mode process to see the page. Latency for detection would get worse, due to the wait for the user-mode thread to notice it had work to do, but that should be sub-millisecond in a modern system.
Re: (Score:2)
From a security standpoint, doing those data intensive checks shouldn't be in the kernel (separation kernels were designed for this). However, having to do process swaps to do the security checks is going to raise the hit on the processor. Security will always cost something.
Re: (Score:2)
From a security standpoint you shouldn't be using antivirus software for real-time scanning. These issues have been known for years and keep occurring ( https://www.blackhat.com/prese... [blackhat.com]
http://www.pcworld.com/article... [pcworld.com]
http://www.theinquirer.net/inq... [theinquirer.net]
https://community.sophos.com/k... [sophos.com]
). Antivirus vendors have been screwing up too often - false positives (blacklisting OS files etc), being exploitable (like this), being unstable, using too much resources.
Real time AV scanning should only be used by people who
Re: (Score:2)
Convenience or performance...
These security products are already bloated and slow enough as it is, if you add the extra overhead of passing the data to a sandboxed userland process for inspection it's going to make them even worse.
But you are right, endpoint protection software violates many security best practices... Extremely complex code, dealing directly with untrusted data and running with a high privilege level.
The only AV i run is on web and mail filtering boxes, the scanner runs under its own unpriv
Re: (Score:2)
Anyone else remember HTTP kernel modules like Tux? "hey, lets parse unfiltered unverified data in the kernel" that needed to die, and luckily enough it eventually did
LD_PRELOAD? (Score:2)
Oh wait, this is Windows. It probably doesn't have anything like that in user space to intercept system calls.
Re: (Score:3)
LD_PRELOAD doesn't intercept system calls, it intercepts library calls. Some of which do wrap system calls, but LD_PRELOAD helps you ZERO if you have a statically linked executable.
I'd imagine a lot of malware for Linux based operating systems very well might be statically linked, to avoid libc version dependencies.
Re: (Score:2)
So use PTRACE.
Re: (Score:1)
Right, a ptrace based tool obviously is a better option, but that isn't what the original poster was talking about.
Re:yet more poor design. (Score:5, Funny)
If it wasn't in the kernel, how would it constantly suck 50% of your CPU and slow your machine to a crawl?
Re: (Score:3)
Re: (Score:2)
How to catch fopen() without hooking kernel? (Score:4, Informative)
Without adding file system hooks to the kernel, how should a real-time antivirus tool trap attempts to read potentially infected files?
Sometimes I think the PC Matic guys are right: a whitelist is a more reliable way to block malware. But a whitelist requires more diligence to maintain if you don't want to turn a PC into a game console, and diligence is something sorely lacking in the non-technical majority.
Re: How to catch fopen() without hooking kernel? (Score:4, Interesting)
Well that is harder than it sounds, in practice.
For example without additional modifications to the kernel does the scheduler know that not running your scan process essentially will cause I/O to stall for every other process?
Microsoft very sensibly provided kernel interfaces to address these issues, and was not going to allow these vendors to hook parts of the kernel during the run up to NT 6.x. They all got their panties in a twist though and cried that it would prevent them from innovating, the result is they have to deal with all these little interaction problems themselves, its actually harder than it looks and leads to bugs, either in terms of security or emergent behaviors and performance problems.
Re: (Score:1)
Re: (Score:2)
I don't know about Windows, but in Linux, root can set a processes priority such that other processes can only run when it is blocked (for example, when requested I/O is not available).
Re: (Score:1)
Re: (Score:1)
A whitelist is a gateway to an app store only system with censorship and lack of choice. Also the 20%-30% cut is very bad with high cost pro software.
Re: (Score:2)
But a whitelist requires more diligence to maintain if you don't want to turn a PC into a game console
A whitelist is a gateway to an app store only system with censorship and lack of choice.
That's sort of what I was getting at. It really depends on by whom it's managed. Some PC owners can be trusted to maintain their own whitelist; others can't.
Re: (Score:2)
as what some consider "censorship" others consider "peace of mind that I won't irreversibly break something".
But then why ban adult themed apps and games?
Why ban wolf 3D just as they app store does not like the content?
Why ban NES EMU's just because big N said to?
Re: (Score:2)
Why ban wolf 3D just as they app store does not like the content?
That depends on whether they banned Id's parent company Zenimax from posting it or whether they banned third parties from posting it.
Re: (Score:2)
Whatever HTML you were hoping for in that post, it looks like goatse. Slashcode is terrible and especially the list tags are broken beyond belief. (Also, you just gave a detailed response to some rhetorical questions.)
Re:How to catch fopen() without hooking kernel? (Score:5, Interesting)
Without adding file system hooks to the kernel, how should a real-time antivirus tool trap attempts to read potentially infected files?
Sometimes I think the PC Matic guys are right: a whitelist is a more reliable way to block malware. But a whitelist requires more diligence to maintain if you don't want to turn a PC into a game console, and diligence is something sorely lacking in the non-technical majority.
A whitelist is useless. It will either--as you said--just lock down the computer a la Windows RT, or it won't prevent the admin from whitelisting whatever he wants to execute or install, thus retaining the exact same threat risk as before.
For optimal security, what one should do before executing an unknown binary is (1) first run it in a safe testing environment [e.g. a virtual machine] and carefully monitor the std streams to make sure it's not trying to do something malicious, and/or (2) use mandatory access control [e.g. SELinux, AppArmor] to profile the binary before executing it, thus ensuring that it won't be able to do anything beyond the realm of what the admin expects it to do. As additional safeguards, ALWAYS have multiple backups of important data. Also, a ZFS/btrfs snapshot would be good too.
But all of that's for the security-conscious. 99% of the human race won't bother with any of that--and that's why Windows has an atrocious reputation for security and crapware, because the UAC introduced in Vista has just conditioned people to click through everything, and even the very best antivirus programs (to this I am counting BitDefender and Kaspersky--NOT Norton, Symantec, McAfee, or Windows Defender) don't protect against zero-days. It's still not difficult to unintentionally cultivate malware just through email attachments and web browsers.
Linux is infinitely superior in this regard, since you have the baked-in defenses from POSIX, but also because the important Linux distros all ship with SELinux or AppArmor sandboxing the privileges of the email client and browser by default.
Re: (Score:2)
"A whitelist is useless. It will either--as you said--just lock down the computer a la Windows RT, or it won't prevent the admin from whitelisting whatever he wants to execute or install, thus retaining the exact same threat risk as before."
I wouldn't say that a white list is useless, but I'm not sure you really get the idea of white listing.
A white list isn't to prevent execution of unknown code, it is to prevent the execution of unapproved code. And conflating the two results in mistakes of intent, purpos
Re: (Score:2)
The problem is who makes the whitelist. It is either an expert who may or may not have motives other than safety in mind (your computer isn't really yours, which might be acceptable on a corporate PC) or it is the owner, in which case they could skip the whitelist system and just run the software they want to run. If you need a whitelist to keep software from running without the user's permission, then you actually just have a UI problem that should be fixed.
Re: (Score:2)
it won't prevent the admin from whitelisting whatever he wants to execute or install
It's not supposed to stop those things.
A whitelisting application is only supposed to stop things that admins do not want to run. It is specifically designed for competent system administrators---not home users.
A home user would have to delegate whitelist management, which translates to subscription security services or curated application stores in the real world.
to profile the binary before executing it
You're joking, right?
Enterprise applications have hundreds of interrelated binaries, and there is generally no data available on the exact functi
Re: (Score:2)
A few small points but (1) Windows has had an atrocious reputation for security and crapware well before UAC and Vista, (2) as you note UAC hasn't really done a lot to change this, and (3) this is just a repeat of ActiveX* in a lot of ways.
Uh, no. Chrome will happily run programs you download for you if you let it. Meanwhile, the juiciest targets for Linux right now are still servers which involve attacking things like bash and openssl. Honestly, AppArmor doesn't help much if you can still launch a separate executable. I'd say obscurity is the best defense most Linux desktop users enjoy today, not anything else.
*And just to be clear, as much as there were a lot of vulnerabilities that allowed ActiveX controls to run regardless of security policies or whatever, the biggest reason ActiveX was and is a problem is the same reason UAC + downloading an executable is: you can't really tell anything about what a program will do and, as you say, people become conditioned to just click through everything. Really, lightweight snapshoting and a good recovery system would have done more to protect the system than an all-or-nothing barrier.
What Linux distro ships Chrome as the default browser? None of the main ones (Ubuntu, Mint, RHEL/CentOS, [open]SUSE, Debian, Arch, Gentoo). If you install a different browser you should manually profile it in SELinux/AppArmor (it's a little tedious with the former, but the latter can do it for you almost automatically).
They ship Firefox, not Chrom(e|ium) (Score:2)
What Linux distro ships Chrome as the default browser? None of the main ones (Ubuntu, Mint, RHEL/CentOS, [open]SUSE, Debian, Arch, Gentoo).
Talk about moving the goal posts. But, AFAIK Chromium will happily do the same. But, then, I guess you'll try to claim that's not "default" too or some BS.
It isn't default. Do any of these ship Chromium in the install image, or do they all ship Firefox?
Re: (Score:2)
Bingo, we have a winner. There is no difference in the way Windows and Linux handle executable from a security standpoint. If the executable is bad and you click on it you are DONE HERE in any OS. To the extent that Linux is better its better because nobody cares enough about DESKTOP Linux to write exploits for it.
Sorry, you are manifestly and provably wrong. Windows has no equivalent function to AppArmor or SELinux to profile an executive's privileges before running it.
AppContainer in Windows 8 and later (Score:2)
Windows has no equivalent function to AppArmor or SELinux to profile an executive's privileges before running it.
Windows 8 introduces "AppContainer", which IE uses for its Enhanced Protected Mode [securityintelligence.com]. An AppContainer provides a capability model analogous to Android permissions. UWP applications likewise runs in an AppContainer. Google Chrome is based on Chromium, which has its own sandbox [chromium.org] that uses AppContainer when available.
Re: (Score:2)
Sometimes I think the PC Matic guys are right: a whitelist is a more reliable way to block malware. But a whitelist requires more diligence to maintain if you don't want to turn a PC into a game console, and diligence is something sorely lacking in the non-technical majority.
Don't worry, eventually once there is a sufficiently bad "digital pearl harbor" event EVERYTHING will be on a white list, because everything will be like itunes and google play, you (we) won't be able to do nuthin' on our PC without it going through a walled garden.
A walled garden controlled by a bureaucratic quagmire along the lines of whatever "team" brought us the 0bamacare website.
Re: (Score:2)
...for sure.
Ok, so which Formula 1 driver are you?
Re:WHO THE HELL SUBMITTED THIS? (Score:5, Informative)
TIL that blogger was bought by Google in 2003...
directly in the operating system kernel (Score:1)
Oy! And these people call themselves professionals!
How surprising (Score:2)
A bug in Norton? Really? How surprising. That's never happened before, has it?
Re: (Score:3)
A bug in Norton? Really? How surprising. That's never happened before, has it?
People pay for Norton products all the time but I cannot in good conscience ever recommend any product from them. I have repaired computers that were literally damaged by simply installing norton products. I could go on and on (and have, many times when appropriate) about how this software doesn't work and is literally worse than nothing - based on MY OWN personal observations, and I am NOT alone.
But I don't go on about McAfee, I simply sum up McAfee products with one line: The only thing WORSE than any of
Re: (Score:2)
So you're saying that McAfee is a killer app?
Re: (Score:2)
it's just shit awful design.
We're talking about Windows, right? So isn't that redundant?
Re: (Score:2)
No, pretty much every platform, for example:
* Symantec Endpoint (Mac, Windows, Linux, UNIX)
I'm not sure what's missing in that example that would be in this one:
* Symantec Scan Engine (All Platforms)
Here's a good link:
http://googleprojectzero.blogs... [blogspot.ca]
Microsoft tried to prevent this (Score:5, Informative)
http://www.dailytech.com/Micro... [dailytech.com]
Security vendors prevent Microsoft locking kernel? (Score:3, Informative)
'The whole "PatchGuard" concept shows how broken Microsoft's approach to an OS has become. The whole concept is to catch changes made by programs which already have full access to kernel space. By checking every five or ten minutes for a change, no less. That's inherently a futile exercise
First NT team fought to keep things out of ring0 (Score:2, Insightful)
I was working for a developer who had a few video games published by Microsoft around the time NT was shipping. The games and marketing divisions where having it out with Dave Cutler and the NT team because the NT team was fighting like hell against putting anything that wasn't absolutely necessary in ring0 ("kernel") space. (The bulk of the NT team followed Cutler from DEC and were experience server OS developers). The NT team was taking the right approach for a server but on the hardware at the time tha
Re: (Score:3)
You've misused the word "ultimately" to imply a stubborn impasse ending in capitulation.
That's not how things went. Cutler kept all that flaky shit out of ring0 long enough to get most of the bugs out of the core OS, without becoming befuddled by having so many fingers to point. The game vendors had to suck it for a while with a development model where their own bugs were obv
Thank God! (Score:5, Funny)
Re: (Score:3)
Re: (Score:3)
Your forgot the sarcasm code pair.
Nah... If system has an unfixable McAfee problem, it gets reimaged in a hurry.
Re: (Score:2)
Even on the Internet the sarcasm in that one was obvious.
Re: (Score:2)
My workplace uses McAfee security products. We're safe.
run
Is this new, or from a few weeks ago? (Score:2)
Is this new, or from a few weeks ago? The date on TFA is from today but the description of the bug is nearly identical to stuff that hit the news stands about a month ago, even down to some identical wording. I can't tell if I need to make sure I get patched ASAP, or if this is something that's already been covered with earlier updates.
Re: (Score:1)
A patch, Symantec Endpoint Protection 12.1.6 MP5 was released yesteray.
Acccording to https://support.symantec.com/en_US/article.INFO3801.html
In addition to the following fixes, this release addresses the following security advisories:
Symantec Decomposer Engine Multiple Parsing Vulnerabilities (SYM16-010)
Symantec Endpoint Protection Manager Multiple Security Issues (SYM16-011)
Waiting for Tanium's turn to be exposed (Score:1)
Unencrypted shards. Who thought it would be a good idea to send "commandlets" across a network without the least bit of security? Commandlets that execute with admin privileges...
The Air Force, that's who. They've bought into Tanium hook, line, and sinker.
The Best AntiVirus Ever (Score:1, Insightful)
The best antivirus ever is to use your fucking brain when you surf the Internet. And, if you don't have a brain, to stay OFF the fucking Internet.
99.999% of all viruses and malware are distributed by one of these three methods:
1) Spamming email addresses with infected links promising penile enlargement, instant riches, or notifying you of a problem with an account you don't even have at a bank you've never heard of (and yet people still fall for it)
2) Porn sites. All of them spread viruses and malware. That
Re:The Best AntiVirus Ever (Score:5, Informative)
You're wrong on #2.
Porn sites do NOT spread malware. Maybe at one time they did, but not any more.
I have an anecdote to prove my point (this is the internet, after all)
A guy brings in his computer it has a virus. He's sure the kid has been doing "naughty" things on it and got it infected. Digital AIDS as it were.
I fixed the virus and did an "audit" of the PC's surfing history and searches and so on, giving me a timeline up to the point where it got infected.
The kid was indeed surfing porn. I asked the guy when he and momma went to bed. "10:00" he said. I told him I could tell. Little Johnny was surfing for "hot milfs", "Zoo porn" and other horrible things starting at 10:30. But the virus didn't get downloaded then.
The virus got downloaded at 7:30 in the morning when the adult got on the PC and did a google search for "TV Repair in [local town name]" and followed whatever link was there that took him to a fake antivirus driveby download.
In other words, Bestiality? Safe. TV Repair? Not safe.
I have other examples too, such as malicious ads on PBS kids and Drudge report and so on.
Re: (Score:3)
Not a surprise. I've worked with IT guys who had worked on porn sites. They're obsessive about security. Competition is so fierce that anything that would give the user the least hesitation simply isn't tolerated.
Re: (Score:2)
Bestiality? Safe. TV Repair? Not safe.
That's why, when your TV breaks, you're supposed to go buy a new one.
I mean, really. Fixing broken stuff? Not only does it violate the warrantee, you can end up getting viruses!
Re: (Score:1)
You're wrong on #2.
Porn sites do NOT spread malware. Maybe at one time they did, but not any more.
I have an anecdote to prove my point (this is the internet, after all)
A guy brings in his computer it has a virus. He's sure the kid has been doing "naughty" things on it and got it infected. Digital AIDS as it were.
I fixed the virus and did an "audit" of the PC's surfing history and searches and so on, giving me a timeline up to the point where it got infected.
The kid was indeed surfing porn. I asked the guy when he and momma went to bed. "10:00" he said. I told him I could tell. Little Johnny was surfing for "hot milfs", "Zoo porn" and other horrible things starting at 10:30. But the virus didn't get downloaded then.
The virus got downloaded at 7:30 in the morning when the adult got on the PC and did a google search for "TV Repair in [local town name]" and followed whatever link was there that took him to a fake antivirus driveby download.
In other words, Bestiality? Safe. TV Repair? Not safe.
I have other examples too, such as malicious ads on PBS kids and Drudge report and so on.
Yeah I hate hearing people say "Stop browsing those Porn sites." Porn sites aren't going to infect their customers who not only bring ad revenue but many times subscription revenue as well.
Re: (Score:2)
Re: (Score:2)
Incorrect on porn sites, these days it is actually the Church sites you've got to be careful of.
But, Google's Android is clean (Score:2)
Who's daddy do you trust?
Trust no one... (Score:1)
Trust no one...especially Google.
Test File from ISC (Score:1)
LOL, too funny (Score:2, Insightful)
"The flaws, the team says, allow hackers to completely compromise people's machines by simply sending them malicious self-replicating code through unopened emails or un-clicked links."
Okay, now that's funny. I bet the NSA/FBI/CIA is having a fucking field day with this little flaw. Unless you can prevent everyone from sending you an email (!!) you can be compromised. And that is pretty much the whole fucking point of email: to receive an email.
"The unpackers work by parsing code contained in files before th
Do Zip/Rar/Archive Bombs still exist? (Score:2)
Say hello to my little friend... IoT (Score:2)
Let's just be clear on what happened here. A library used to defend against malware itself has a zero-day which is targetable by malware. This from an industry that has decades of programming effort to doing just one thing, and attracts some of the best of the best as developers.
Just pointing this out explicitly for everyone who thinks that IoT won't wreak real physical harm, potentially on a on a scale previously unheard of and (as a consequence) programming same will be not be tightly regulated and li
Re: (Score:2)
IoT is going to end programming freedom as we know it.
A more likely scenario is that IoT will end IoT as we know it.
Once people realize that they don't really get much value out of putting their appliances on the Internet, but do risk getting hacked, the next big marketing push will be "certified air-gapped secure" appliances, aka traditional/non-IoT appliances, and the idea of IoT can join VRML, GeoCities, and DivX in the Hall of Technologies That It Turns Out Nobody Actually Wanted After All. (aka the HOTTITONAWAA).
Another reason not to run Norton junk (Score:3)
I have had Norton and Symantec on my own personal blacklist of entities I refuse to have anything to do ever since I installed some version of Norton Internet Security and it made my web browsing (and possibly other stuff) stop working until I completly uninstalled it.
Re: (Score:2)
I have not installed a Symantec product, or permitted a pre-installed Symantec product to remain, on any machine I control in a decade. In the five or six years before that I made several attempts to use Symantec security or utility products. They were never usable, in some cases they never worked at all. Antivirus programs that insisted on running at 95% CPU all the time if they were installed, but proved very difficult to uninstall. A backup program that did all their backups as uncompressed full image pr
Any relation to Eugene? (Score:1)
Elephant graveyard (Score:2)
Symantec is the elephant graveyard of software. Any software that Symantec acquires, no matter how good it was originally, will turn to crap. We saw it with Norton Antivirus, Norton Utilities, a couple other things.
For a while their enterprise antivirus product bucked the curve and actually did reasonably well, but I guess that was just a statistical anomaly that Symantec has since corrected.
It's 1999 all over again (Score:1)
I thought everyone knew about not doing dumb stuff like this no later than 1999. The Unix world knew that way back in the 1980s. So I suppose Windows is still around 30 years behind.
A Symantec executive says Antivirus is DEAD (Score:1)