Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
captain_to_fire

'Crazy bad' bug in Microsoft's Windows malware scanner can be used to install malware

Recommended Posts

7 hours ago, LAwLz said:

Doesn't it have to run with admin privileges? It wouldn't be able to scan a lot of files otherwise.

 

No. The AV engine itself should not need to be flailing around on a system like a bull in a china shop. Just because a process may need permission to read a file does not need that it needs to run it or more importantly that it needs permissions to do anything else on the system.

 

Even if we assume that an AV must run with the highest privileges, it should be acknowledged that this is a pretty major architectural flaw, necessary or not. It's basically taking the already huge attack surface that an AV presents and painting a big target on it.

Link to post
Share on other sites

To all of those people going "lol microsoft AV", keep in mind that what happened here can happen to any AV. Also Microsoft at least has much higher stake in making sure their AV at least performs adequate. A lot of the other third party AVs can do more harm than good (https://arstechnica.com/information-technology/2017/01/antivirus-is-bad/). To put it in an analogy, Windows Defender is the military in the country of Microsoft, whereas the other AVs are PMCs.

 

5 minutes ago, SSL said:

No. The AV engine itself should not need to be flailing around on a system like a bull in a china shop. Just because a process may need permission to read a file does not need that it needs to run it or more importantly that it needs permissions to do anything else on the system.

It still should have some form of admin privileges because if a user marked a file as 700 and the AV is treated as standard user, then it can never read the file because it doesn't have permission to do so.

 

But yeah, it should only have read privileges to said files.

Link to post
Share on other sites
1 minute ago, M.Yurizaki said:

It still should have some form of admin privileges because if a user marked a file as 700 and the AV is treated as standard user, then it can never read the file because it doesn't have permission to do so.

 

So have another process change the permissions in some way so that the AV engine can do whatever it needs to do with the file. If that means giving the AV engine total access to the system at all times, they might as well start calling them Unsecurity Software.

Link to post
Share on other sites
12 minutes ago, SSL said:

No. The AV engine itself should not need to be flailing around on a system like a bull in a china shop. Just because a process may need permission to read a file does not need that it needs to run it or more importantly that it needs permissions to do anything else on the system.

 

Even if we assume that an AV must run with the highest privileges, it should be acknowledged that this is a pretty major architectural flaw, necessary or not. It's basically taking the already huge attack surface that an AV presents and painting a big target on it.

If an anti-virus isn't running with admin privileges, then any malware with admin privileges would be able to stay invisible to that AV.


Please avoid feeding the argumentative narcissistic academic monkey.

"the last 20 percent – going from demo to production-worthy algorithm – is both hard and is time-consuming. The last 20 percent is what separates the men from the boys" - Mobileye CEO

Link to post
Share on other sites
1 minute ago, Tomsen said:

If an anti-virus isn't running with admin privileges, then any malware with admin privileges would be able to stay invisible to that AV.

 

You and others are missing the point of my comments. 

 

Running an AV engine with high or the highest possible privileges is a vulnerability waiting to be exploited. I don't really care for the purposes of this observation whether such behavior is necessary to make the AV software "work".

Link to post
Share on other sites
3 minutes ago, SSL said:

So have another process change the permissions in some way so that the AV engine can do whatever it needs to do with the file. If that means giving the AV engine total access to the system at all times, they might as well start calling them Unsecurity Software.

Any process like that needs admin privileges, in which case you better hope that process is secure otherwise Mallory can take advantage of it and change the permissions of anything to fit her needs.

 

EDIT: Then how about this: any thing the AV can scan, let it scan. If it can't scan it, tag it and have the user elevate the privileges later

Link to post
Share on other sites
1 minute ago, M.Yurizaki said:

Any process like that needs admin privileges, in which case you better hope that process is secure otherwise Mallory can take advantage of it and change the permissions of anything to fit her needs.

 

Part of the "security" of any process is determined by what the process does. A process that shoves it's face into every corner of a system in the name of security is inherently less secure than another process with limited scope.

Link to post
Share on other sites
4 minutes ago, SSL said:

 

You and others are missing the point of my comments. 

 

Running an AV engine with high or the highest possible privileges is a vulnerability waiting to be exploited. I don't really care for the purposes of this observation whether such behavior is necessary to make the AV software "work".

That is ultimately a big concern with drivers (ring 0, not ring3 drivers). That is why by default microsoft only allows signed drivers to be installed.


Please avoid feeding the argumentative narcissistic academic monkey.

"the last 20 percent – going from demo to production-worthy algorithm – is both hard and is time-consuming. The last 20 percent is what separates the men from the boys" - Mobileye CEO

Link to post
Share on other sites
2 minutes ago, SSL said:

Part of the "security" of any process is determined by what the process does. A process that shoves it's face into every corner of a system in the name of security is inherently less secure than another process with limited scope.

How else would you be able to determine whether or not what a process runs is malicious?


Please avoid feeding the argumentative narcissistic academic monkey.

"the last 20 percent – going from demo to production-worthy algorithm – is both hard and is time-consuming. The last 20 percent is what separates the men from the boys" - Mobileye CEO

Link to post
Share on other sites
4 minutes ago, Tomsen said:

How else would you be able to determine whether or not what a process runs is malicious?

 

Good question. Again, I'm not proposing that we solve these issues in this thread. I'm just pointing out that an AV engine running with all privileges is walking a fine line between making a system more secure and making it more vulnerable. This is a balance of which most users are blissfully unaware, and which most AV vendors actively fail to acknowledge. 

 

It may be that this is a compromise worth making in general, but there may be situations where no AV is more secure, such as against targeted attacks.

Link to post
Share on other sites
3 hours ago, SSL said:

 

Good question. Again, I'm not proposing that we solve these issues in this thread. I'm just pointing out that an AV engine running with all privileges is walking a fine line between making a system more secure and making it more vulnerable. This is a balance of which most users are blissfully unaware, and which most AV vendors actively fail to acknowledge. 

 

It may be that this is a compromise worth making in general, but there may be situations where no AV is more secure, such as against targeted attacks.

You feel free to run without AV then.  While I don't rely on AV as my primary line of defense (I use my wits and common sense for that), I do use it as a backup in case something slips past me or if I violate my own protocols for safe web surfing behavior.

Link to post
Share on other sites
9 hours ago, SSL said:

 

So have another process change the permissions in some way so that the AV engine can do whatever it needs to do with the file. If that means giving the AV engine total access to the system at all times, they might as well start calling them Unsecurity Software.

You cannot go round changing file permissions like that, that is not an acceptable way to do it. And to do that change you need enough permissions to make modifications to the ACLs of the file which is yet again high enough permissions to do damage and the thing you are complaining about.

 

The proper solution would be for Microsoft to alter the OS to add in a new special privilege designed for AV engines that is like SeBackupPrivilege but only has read access rather than read/write, backup software needs to restore files, it would also need read permission to all processes memory space. It would have to be designed in such a way that it can't be easily abused either, like signed drivers but signed AV engine. There is still some danger even in that due to implicit trust of AV engines but at least anything using it would be limited to read access.

Link to post
Share on other sites
13 hours ago, imPixelTV said:

cant be exploited if you dont even have the right version of windows

blackman.jpg

i cant afford your fancy dank memes they cost too much

so have a store bought noname brand one..

image.jpg


i7 3770k @ 1.3v 4.0GHz | 2x8GB CAS9 1600MHz | Radeon VII | ASUS P8Z77-V LE | 6TB WD Gold (128MB Cache, 2017)

Samsung 850 EVO 240 GB 

138 is a good number.

 

Link to post
Share on other sites

tavis and crew strike again!


Ultimate XP gaming system build log coming soon!  Q8200 // 8GB DDR2 // Asus P5E Deluxe X48 // Asus 4870 DARK KNIGHT X-Fire // Supreme FX sound // BFG Ageia PhysX PCI Co-Processor // AX 860x with Silverstone extensions 

Link to post
Share on other sites
22 hours ago, SSL said:

Good question. Again, I'm not proposing that we solve these issues in this thread. I'm just pointing out that an AV engine running with all privileges is walking a fine line between making a system more secure and making it more vulnerable. This is a balance of which most users are blissfully unaware, and which most AV vendors actively fail to acknowledge. 

 

It may be that this is a compromise worth making in general, but there may be situations where no AV is more secure, such as against targeted attacks.

Yeah but that is relevant to all ring0 drivers (kernel drivers). Be it anti-virus engine, GPU drivers, etc. Thats why we "have" to trust these companies so do their job properly, to avoid such potential bugs.

 

In regards to security. It is like a onion, it got layers.


Please avoid feeding the argumentative narcissistic academic monkey.

"the last 20 percent – going from demo to production-worthy algorithm – is both hard and is time-consuming. The last 20 percent is what separates the men from the boys" - Mobileye CEO

Link to post
Share on other sites
18 hours ago, Jito463 said:

You feel free to run without AV then.  While I don't rely on AV as my primary line of defense (I use my wits and common sense for that), I do use it as a backup in case something slips past me or if I violate my own protocols for safe web surfing behavior.

AKA watching porn?


Please avoid feeding the argumentative narcissistic academic monkey.

"the last 20 percent – going from demo to production-worthy algorithm – is both hard and is time-consuming. The last 20 percent is what separates the men from the boys" - Mobileye CEO

Link to post
Share on other sites
12 hours ago, leadeater said:

The proper solution would be for Microsoft to alter the OS to add in a new special privilege designed for AV engines that is like SeBackupPrivilege but only has read access rather than read/write, backup software needs to restore files, it would also need read permission to all processes memory space. It would have to be designed in such a way that it can't be easily abused either, like signed drivers but signed AV engine. There is still some danger even in that due to implicit trust of AV engines but at least anything using it would be limited to read access.

I would imagine certain features in modern day AV require write permissions. Like sandboxing processes, etc. Not quite sure.


Please avoid feeding the argumentative narcissistic academic monkey.

"the last 20 percent – going from demo to production-worthy algorithm – is both hard and is time-consuming. The last 20 percent is what separates the men from the boys" - Mobileye CEO

Link to post
Share on other sites
Just now, Jito463 said:

No.  Nitwit.

Right.. Just try not to violate your "safe web surfing behavior" :D


Please avoid feeding the argumentative narcissistic academic monkey.

"the last 20 percent – going from demo to production-worthy algorithm – is both hard and is time-consuming. The last 20 percent is what separates the men from the boys" - Mobileye CEO

Link to post
Share on other sites
5 minutes ago, Jito463 said:

Congratulations for being the first person on this forum I put on ignore.

Always a pleasure.


Please avoid feeding the argumentative narcissistic academic monkey.

"the last 20 percent – going from demo to production-worthy algorithm – is both hard and is time-consuming. The last 20 percent is what separates the men from the boys" - Mobileye CEO

Link to post
Share on other sites
23 minutes ago, Tomsen said:

Yeah but that is relevant to all ring0 drivers (kernel drivers). Be it anti-virus engine, GPU drivers, etc. Thats why we "have" to trust these companies so do their job properly, to avoid such potential bugs.

 

In regards to security. It is like a onion, it got layers.

 

AV engines are more generally much more vulnerable because they actively place themselves on the front line. That is, they come into contact with just about everything on the system that could contain a malicious payload. 

 

It's been shown repeatedly that AV vendors generally do not do their due diligence when it comes to writing secure code. A lot of that comes from the fact that virus detection and writing secure software are not skill-sets that overlap all that much. 

Link to post
Share on other sites
19 hours ago, Jito463 said:

You feel free to run without AV then.  While I don't rely on AV as my primary line of defense (I use my wits and common sense for that), I do use it as a backup in case something slips past me or if I violate my own protocols for safe web surfing behavior.

For the most part wits and common sense doesnt work anymore for safe browsing. A majority of malware is through ads now, even on "good sites", and with the amount of sites being breached or compromised, you dont know what code is on a site no matter how safe you think it is. 

 

Best combo is still a non-admin account (people really need to know how much this helps), adblocker, and AV (any of the top 5 or even paid malwarebytes which is the best case). 

 

If you dont use any of those, wits and common sense will not save you. 

Link to post
Share on other sites
Just now, mynameisjuan said:

For the most part wits and common sense doesnt work anymore for safe browsing. A majority of malware is through ads now, even on "good sites", and with the amount of sites being breached or compromised, you dont know what code is on a site no matter how safe you think it is. 

 

Best combo is still a non-admin account (people really need to know how much this helps), adblocker, and AV (any of the top 5 or even paid malwarebytes which is the best case). 

 

If you dont use any of those, wits and common sense will not save you. 

Did you just read one part of my post, and respond based on that?  I specifically said I use the AV as a safeguard for anything that slips past me, which would include malicious code in an ad.  I very explicitly made that clear in my post.  You're arguing against a strawman that's completely defeated by the very post you responded to.

 

I have no idea why you even made this response.

Link to post
Share on other sites
7 minutes ago, Jito463 said:

Did you just read one part of my post, and respond based on that?  I specifically said I use the AV as a safeguard for anything that slips past me, which would include malicious code in an ad.  I very explicitly made that clear in my post.  You're arguing against a strawman that's completely defeated by the very post you responded to.

 

I have no idea why you even made this response.

No I saw where it said wits and common sense was just a primary defense. Just pointing out that many people still use wits and common sense as their only defense which needs to stop as an only defense. Wasnt a direct attack dude, calm down... 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Buy VPN

×