Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: KHOBE - 8.0 earthquake for Windows desktop security software
From: "Larry Seltzer" <larry () larryseltzer com>
Date: Thu, 13 May 2010 17:16:52 -0400

Actually, a consensus is developing that their claims are greatly
exaggerated.

The SSDT hooking they cite is only used on Windows XP (and server 2003)
and earlier. Starting in Vista SP1 Microsoft offered APIs that were good
enough that AV vendors didn't need to hook the SSDT and could co-exist
with Patchguard on 64-bit systems (the APIs are also on 32-bit Windows).
It's not even clear that Matousec actually tested all 35 of those
products to the point of exploiting them; all they did was to confirm
that they used SSDT patching (on XP). I asked them for comment on this
on the record and they didn't reply.

More than one antivirus vendor has said that their products are not
vulnerable to the technique. It's hard to say who is telling the truth,
but given all their overstatement matousec doesn't deserve the benefit
of the doubt.

Larry Seltzer
Contributing Editor, PC Magazine
larry_seltzer () ziffdavis com 
http://blogs.pcmag.com/securitywatch/

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Marsh
Ray
Sent: Thursday, May 13, 2010 5:06 PM
To: Juha-Matti Laurio
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] KHOBE - 8.0 earthquake for Windows
desktop security software


Nice research! Thanks hmatousec.com for putting up the hard work of
testing all those products.

Anyone else notice the connection with the Systrace badness from a while
back?
http://www.watson.org/~robert/2007woot/
'Exploiting Concurrency Vulnerabilities in System Call Wrappers'

Perhaps Windows AV developers need to get out more.

- Marsh


On 5/13/2010 3:04 PM, Juha-Matti Laurio wrote:
Some AV vendors have posted their 'is-the-game-over-or-not' type
response.

F-Secure: http://www.f-secure.com/weblog/archives/00001949.html

Trend: 
http://countermeasures.trendmicro.eu/you-just-cant-trust-a-drunk/

Sophos: 

http://www.sophos.com/blogs/gc/g/2010/05/11/khobe-vulnerability-game-sec
urity-software/

 ESET: 

http://www.eset.com/blog/2010/05/11/khobe-wan-these-arent-the-droids-you
re-looking-for

 Juha-Matti

Jeffrey Walton [noloader () gmail com] kirjoitti:

Hi , Also known as a TOCTOU binding flaw (thanks GDM). 
http://nob.cs.ucdavis.edu/bishop/papers/1996-compsys/racecond.pdf
(dated 1996).

Jeff

On Wed, May 5, 2010 at 3:14 AM, www.matousec.com - Research
<researchmatousec.com> wrote:
Hello,

We have found number of vulnerabilities in implementations of
kernel hooks in many different security products.

--clip--

_______________________________________________ Full-Disclosure - We
believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]