security 'Crazy bad' bug in Microsoft's Windows malware scanner can be used to install malware

[SSL]

7 hours ago, LAwLz said:

Doesn't it have to run with admin privileges? It wouldn't be able to scan a lot of files otherwise.

 

No. The AV engine itself should not need to be flailing around on a system like a bull in a china shop. Just because a process may need permission to read a file does not need that it needs to run it or more importantly that it needs permissions to do anything else on the system.

 

Even if we assume that an AV must run with the highest privileges, it should be acknowledged that this is a pretty major architectural flaw, necessary or not. It's basically taking the already huge attack surface that an AV presents and painting a big target on it.

[Mira Yurizaki]

To all of those people going "lol microsoft AV", keep in mind that what happened here can happen to any AV. Also Microsoft at least has much higher stake in making sure their AV at least performs adequate. A lot of the other third party AVs can do more harm than good (https://arstechnica.com/information-technology/2017/01/antivirus-is-bad/). To put it in an analogy, Windows Defender is the military in the country of Microsoft, whereas the other AVs are PMCs.

 

5 minutes ago, SSL said:

No. The AV engine itself should not need to be flailing around on a system like a bull in a china shop. Just because a process may need permission to read a file does not need that it needs to run it or more importantly that it needs permissions to do anything else on the system.

It still should have some form of admin privileges because if a user marked a file as 700 and the AV is treated as standard user, then it can never read the file because it doesn't have permission to do so.

 

But yeah, it should only have read privileges to said files.

[SSL]

1 minute ago, M.Yurizaki said:

It still should have some form of admin privileges because if a user marked a file as 700 and the AV is treated as standard user, then it can never read the file because it doesn't have permission to do so.

 

So have another process change the permissions in some way so that the AV engine can do whatever it needs to do with the file. If that means giving the AV engine total access to the system at all times, they might as well start calling them Unsecurity Software.

[Tomsen]

12 minutes ago, SSL said:

No. The AV engine itself should not need to be flailing around on a system like a bull in a china shop. Just because a process may need permission to read a file does not need that it needs to run it or more importantly that it needs permissions to do anything else on the system.

 

Even if we assume that an AV must run with the highest privileges, it should be acknowledged that this is a pretty major architectural flaw, necessary or not. It's basically taking the already huge attack surface that an AV presents and painting a big target on it.

If an anti-virus isn't running with admin privileges, then any malware with admin privileges would be able to stay invisible to that AV.

[SSL]

1 minute ago, Tomsen said:

If an anti-virus isn't running with admin privileges, then any malware with admin privileges would be able to stay invisible to that AV.

 

You and others are missing the point of my comments. 

 

Running an AV engine with high or the highest possible privileges is a vulnerability waiting to be exploited. I don't really care for the purposes of this observation whether such behavior is necessary to make the AV software "work".

[Mira Yurizaki]

3 minutes ago, SSL said:

So have another process change the permissions in some way so that the AV engine can do whatever it needs to do with the file. If that means giving the AV engine total access to the system at all times, they might as well start calling them Unsecurity Software.

Any process like that needs admin privileges, in which case you better hope that process is secure otherwise Mallory can take advantage of it and change the permissions of anything to fit her needs.

 

EDIT: Then how about this: any thing the AV can scan, let it scan. If it can't scan it, tag it and have the user elevate the privileges later

[SSL]

1 minute ago, M.Yurizaki said:

Any process like that needs admin privileges, in which case you better hope that process is secure otherwise Mallory can take advantage of it and change the permissions of anything to fit her needs.

 

Part of the "security" of any process is determined by what the process does. A process that shoves it's face into every corner of a system in the name of security is inherently less secure than another process with limited scope.

[Tomsen]

4 minutes ago, SSL said:

 

You and others are missing the point of my comments. 

 

Running an AV engine with high or the highest possible privileges is a vulnerability waiting to be exploited. I don't really care for the purposes of this observation whether such behavior is necessary to make the AV software "work".

That is ultimately a big concern with drivers (ring 0, not ring3 drivers). That is why by default microsoft only allows signed drivers to be installed.

[Tomsen]

2 minutes ago, SSL said:

Part of the "security" of any process is determined by what the process does. A process that shoves it's face into every corner of a system in the name of security is inherently less secure than another process with limited scope.

How else would you be able to determine whether or not what a process runs is malicious?

[SSL]

4 minutes ago, Tomsen said:

How else would you be able to determine whether or not what a process runs is malicious?

 

Good question. Again, I'm not proposing that we solve these issues in this thread. I'm just pointing out that an AV engine running with all privileges is walking a fine line between making a system more secure and making it more vulnerable. This is a balance of which most users are blissfully unaware, and which most AV vendors actively fail to acknowledge. 

 

It may be that this is a compromise worth making in general, but there may be situations where no AV is more secure, such as against targeted attacks.

[Jito463]

3 hours ago, SSL said:

 

Good question. Again, I'm not proposing that we solve these issues in this thread. I'm just pointing out that an AV engine running with all privileges is walking a fine line between making a system more secure and making it more vulnerable. This is a balance of which most users are blissfully unaware, and which most AV vendors actively fail to acknowledge. 

 

It may be that this is a compromise worth making in general, but there may be situations where no AV is more secure, such as against targeted attacks.

You feel free to run without AV then.  While I don't rely on AV as my primary line of defense (I use my wits and common sense for that), I do use it as a backup in case something slips past me or if I violate my own protocols for safe web surfing behavior.

[leadeater]

9 hours ago, SSL said:

 

So have another process change the permissions in some way so that the AV engine can do whatever it needs to do with the file. If that means giving the AV engine total access to the system at all times, they might as well start calling them Unsecurity Software.

You cannot go round changing file permissions like that, that is not an acceptable way to do it. And to do that change you need enough permissions to make modifications to the ACLs of the file which is yet again high enough permissions to do damage and the thing you are complaining about.

 

The proper solution would be for Microsoft to alter the OS to add in a new special privilege designed for AV engines that is like SeBackupPrivilege but only has read access rather than read/write, backup software needs to restore files, it would also need read permission to all processes memory space. It would have to be designed in such a way that it can't be easily abused either, like signed drivers but signed AV engine. There is still some danger even in that due to implicit trust of AV engines but at least anything using it would be limited to read access.

[themctipers]

13 hours ago, imPixelTV said:

cant be exploited if you dont even have the right version of windows

i cant afford your fancy dank memes they cost too much

so have a store bought noname brand one..

[PCgamer324]

tavis and crew strike again!

[Tomsen]

22 hours ago, SSL said:

Good question. Again, I'm not proposing that we solve these issues in this thread. I'm just pointing out that an AV engine running with all privileges is walking a fine line between making a system more secure and making it more vulnerable. This is a balance of which most users are blissfully unaware, and which most AV vendors actively fail to acknowledge. 

 

It may be that this is a compromise worth making in general, but there may be situations where no AV is more secure, such as against targeted attacks.

Yeah but that is relevant to all ring0 drivers (kernel drivers). Be it anti-virus engine, GPU drivers, etc. Thats why we "have" to trust these companies so do their job properly, to avoid such potential bugs.

 

In regards to security. It is like a onion, it got layers.

[Tomsen]

18 hours ago, Jito463 said:

You feel free to run without AV then.  While I don't rely on AV as my primary line of defense (I use my wits and common sense for that), I do use it as a backup in case something slips past me or if I violate my own protocols for safe web surfing behavior.

AKA watching porn?

[Tomsen]

12 hours ago, leadeater said:

The proper solution would be for Microsoft to alter the OS to add in a new special privilege designed for AV engines that is like SeBackupPrivilege but only has read access rather than read/write, backup software needs to restore files, it would also need read permission to all processes memory space. It would have to be designed in such a way that it can't be easily abused either, like signed drivers but signed AV engine. There is still some danger even in that due to implicit trust of AV engines but at least anything using it would be limited to read access.

I would imagine certain features in modern day AV require write permissions. Like sandboxing processes, etc. Not quite sure.

[Jito463]

6 minutes ago, Tomsen said:

AKA watching porn?

No.  Nitwit.

[Tomsen]

Just now, Jito463 said:

No.  Nitwit.

Right.. Just try not to violate your "safe web surfing behavior"

[Jito463]

1 minute ago, Tomsen said:

Right.. Just try not to violate your "safe web surfing behavior"

Congratulations for being the first person on this forum I put on ignore.

[Tomsen]

5 minutes ago, Jito463 said:

Congratulations for being the first person on this forum I put on ignore.

Always a pleasure.

[SSL]

23 minutes ago, Tomsen said:

Yeah but that is relevant to all ring0 drivers (kernel drivers). Be it anti-virus engine, GPU drivers, etc. Thats why we "have" to trust these companies so do their job properly, to avoid such potential bugs.

 

In regards to security. It is like a onion, it got layers.

 

AV engines are more generally much more vulnerable because they actively place themselves on the front line. That is, they come into contact with just about everything on the system that could contain a malicious payload. 

 

It's been shown repeatedly that AV vendors generally do not do their due diligence when it comes to writing secure code. A lot of that comes from the fact that virus detection and writing secure software are not skill-sets that overlap all that much. 

[mynameisjuan]

19 hours ago, Jito463 said:

You feel free to run without AV then.  While I don't rely on AV as my primary line of defense (I use my wits and common sense for that), I do use it as a backup in case something slips past me or if I violate my own protocols for safe web surfing behavior.

For the most part wits and common sense doesnt work anymore for safe browsing. A majority of malware is through ads now, even on "good sites", and with the amount of sites being breached or compromised, you dont know what code is on a site no matter how safe you think it is. 

 

Best combo is still a non-admin account (people really need to know how much this helps), adblocker, and AV (any of the top 5 or even paid malwarebytes which is the best case). 

 

If you dont use any of those, wits and common sense will not save you. 

[Jito463]

Just now, mynameisjuan said:

For the most part wits and common sense doesnt work anymore for safe browsing. A majority of malware is through ads now, even on "good sites", and with the amount of sites being breached or compromised, you dont know what code is on a site no matter how safe you think it is. 

 

Best combo is still a non-admin account (people really need to know how much this helps), adblocker, and AV (any of the top 5 or even paid malwarebytes which is the best case). 

 

If you dont use any of those, wits and common sense will not save you. 

Did you just read one part of my post, and respond based on that?  I specifically said I use the AV as a safeguard for anything that slips past me, which would include malicious code in an ad.  I very explicitly made that clear in my post.  You're arguing against a strawman that's completely defeated by the very post you responded to.

 

I have no idea why you even made this response.

[mynameisjuan]

7 minutes ago, Jito463 said:

Did you just read one part of my post, and respond based on that?  I specifically said I use the AV as a safeguard for anything that slips past me, which would include malicious code in an ad.  I very explicitly made that clear in my post.  You're arguing against a strawman that's completely defeated by the very post you responded to.

 

I have no idea why you even made this response.

No I saw where it said wits and common sense was just a primary defense. Just pointing out that many people still use wits and common sense as their only defense which needs to stop as an only defense. Wasnt a direct attack dude, calm down...