back to article Kaspersky, McAfee, and AVG all vulnerable to major flaw

Some of the biggest names in the security software business have been compromised by a serious flaw that could allow a hacker to use the commercial security code to infiltrate computers. In March, researchers at security firm enSilo found a serious flaw in popular free antivirus engine AVG Internet Security 2015. They found …

  1. The Average Joe

    New McAfee software

    Enterprise users can install a newer version of 8.8, if they use EPO to remove the old and install the new

  2. nilfs2
    Linux

    Here, have a fix

    A fix for all known and unknown Windows viruses and vulnerabilities, http://www.debian.org

    1. Sandtitz Silver badge
      Trollface

      Re: Here, have a fix @nilfs2

      Man, you forgot the troll badge! And you should - by default - start doling out HTTPS URIs.

      A fix for all known known, known unknown, and unknown unknown Linux malware and vulnerabilities, https://www.microsoft.com

    2. Anonymous Coward
      Anonymous Coward

      Re: Here, have a fix

      "A fix for all known and unknown Windows viruses and vulnerabilities, http://www.debian.org"

      There's some particularly insidious malware affecting many Debian systems:

      https://en.wikipedia.org/wiki/Systemd

      Joking aside, there seem to be a lot of quasi-religious posts evangelising the poster's favourite OS here on El Reg. This gets tiresome and is out of place on a tech forum where I assume most readers are well informed enough to choose an OS that meets their requirements. (Speaking as an OS-agnostic Debian user since the '90s).

      1. jason 7

        Re: Here, have a fix

        Yes this forum could do with some standard cliché post replies as a drop down option for the less imaginative posters.

        Pretty tiresome to see the same old posts time and time again.

        YES WE KNOW!

      2. Chika
        Coat

        Re: Here, have a fix

        systemd? That isn't restricted to Debian systems either. And I'm not joking. Why can't they arrest the perp and have done with it?!?

        Agreed. I use different systems to do different things. I may give Linux advice in some of these threads but each OS has its strengths and flaws and I prefer to judge them realistically rather than evangelise.

        Besides, RISC OS kicks the crap out of all of them... ;)

      3. Vic

        Re: Here, have a fix

        I assume most readers are well informed enough to choose an OS that meets their requirements

        I don't think that's a safe assumption. I've seen a lot of OS religion here - of varying flavours.

        Vic.

  3. This post has been deleted by a moderator

  4. Michael Thibault

    "This post has been deleted by a moderator"

    Seldom seen! Very curious to know what that was about.

    1. willi0000000

      Re: "This post has been deleted by a moderator"

      i believe that is called The Banhammer of Loving Correction.

    2. Notas Badoff

      Re: "This code has been deleted by a exploiter"

      Perhaps it was a description of the exact flaws, or link to such?

      Having read the article only once, am I to understand that at least three or more AV companies - in their separate amazing and patentable software development - all came up with code so similar the same exploit techniques would work for each?

      Can we please use this phantasmagoric occurrence as yet another example that s/w 'genius' ain't necessarily unique, or code patentable? Instead of these companies playing patent gotcha against each other with their code, the exploit showed the illusion behind the claims of uniqueness.

      1. DryBones

        Re: "This code has been deleted by a exploiter"

        Reads more like it's a common error, to me. It's basically saying that they're traveling the same route too often and so someone put a bomb where they're going to pass.

        1. Michael Wojcik Silver badge

          Re: "This code has been deleted by a exploiter"

          Reads more like it's a common error, to me.

          Same thing, innit? That is, the original point was that if you find the same vulnerability in similar products from three vendors, that suggests software developers tend to keep reinventing the same bug-wheels.

          I have a vague memory of a study that showed similar results when multiple teams are given the task of implementing the same system in parallel. That technique is sometimes recommended for producing fault-tolerant software, on the assumption that, say, three different implementations will have different bugs, and so won't all fail the same way on the same input. But the study found that the independent groups tended to make similar mistakes.

          By the way, Ormandy's blog post that's linked from the article is worth a quick read, like pretty much all of his vulnerability analyses.

  5. Breen Whitman

    I wondered how several products had the same flaw. Intel owns them. There's the answer.

    1. ardubbleyu

      Don't think Intel owns Kaspersky - in any case KIS 2016 is now widely available and not vulnerable to this AFAIK.

    2. Chika
      FAIL

      I wondered how several products had the same flaw. Intel owns them. There's the answer.

      Are you sure that was what you meant? I suspect that you probably meant that the code developed that way because of the product they were designed for, that being the Intel processor based system. Mind you, even that's clutching a bit...

  6. Ken Moorhouse Silver badge

    Predictable

    By virtue of all programs running under a host Operating System it is possible to work out what resources are being used where - Sysinternals has been demonstrating this for years. The vulnerability is surely in the ability of the OS to be coaxed into allowing another program to write to the same memory area, or to allow a process not under its control to shunt memory to another location and back again.

    The contra to that is presumably for the AV program to repeatedly checksum memory (in an internal proprietary way) that it uses either for transient or ongoing usage. Yes this will impact performance, but being the nature of AV programs they have to start from the premise of paranoia. How else can an AV program detect that it is running within a Rootkit shell?

    1. phuzz Silver badge

      Re: Predictable

      There's two things they could do to minimise the risk. One, use ASLR or a similar tech to make sure that the allocated memory is not at a predictable address. The second is to minimise how much memory is marked as readable/writeable/executable (a bit like not having everything chmod'ed to 777 on linux).

      1. Michael Wojcik Silver badge

        Re: Predictable

        One, use ASLR or a similar tech to make sure that the allocated memory is not at a predictable address.

        Read Ormandy's blog post. Kaspersky was using ASLR.

        Unfortunately ASLR is pretty easy to defeat in most cases. There's a ton of information available on this topic in the BUGTRAQ archives and the like. That doesn't mean it's not worth using, particularly since it's generally a link-time option and requires epsilon-effort from the developer, but it doesn't actually offer much protection.

        The second is to minimise how much memory is marked as readable/writeable/executable (a bit like not having everything chmod'ed to 777 on linux).

        Critically, in Kaspersky's case, they weren't using non-executable stack (again per Ormandy's blog). Of course many stack-smashing exploits work even with non-executable stack, using ROP and similar techniques. But again this is usually easy to turn on (if it's available at all for the platform you're using) and generally worth doing, unless you have special requirements.

  7. Anonymous Coward
    Anonymous Coward

    Anti-virus? That's a blast from the past!

    Glad I don't need to run that crap anymore. Why people find it acceptable they have to use it, when they really don't, is beyond me.

    1. Anonymous Coward
      Anonymous Coward

      Given up using a computer and/or internet then have we?

      1. Roo
        Windows

        "Given up using a computer and/or internet then have we?"

        Give that you are replying to a post on the internet I suspect that's not the case. The OP could be using an OS that doesn't require an AV product to detect infection... These do exist and amazingly they did exist before the Internet too, you don't even have to believe me you can read about them in thousands of papers published in the 60s, 70s, 80s, 90s, 00s and even the '10s. :)

        Even on Windows boxes AV still isn't a requirement - it's a "nice to have" for people who don't wish to invest their time in good security practice & backups - ie: people who trade security for convenience.

        1. Anonymous Coward
          Anonymous Coward

          Well obviously :-) and of course he might be using a machine that has no (to my knowledge) third party offering (such as an iPad). But, although good security (if you want to go beyond an air gap and trust everyone with access to the machines) is not just a matter of good practice (sans AV) and backup. AV products do have their uses (and as we have seen, their own vulnerabilities).

          Of course there are machines from the past that are difficult/impossible to corrupt, through design or simple limitations. I remember visiting a US DoD site in the 80s where I was amazed about the number of Macs (all running pre OSX) littering the place. Security was the reason given - obscurity and the multithreaded design.

          Using an older machine to do much that most people would describe as useful on the net today (including posting to the reg) requires something a little more up to date than EMA though.....

        2. Anonymous Coward
          Anonymous Coward

          for people who don't wish to invest their time in good security practice & backups

          I already do, hence no requirement of AV. AV is for the "download and run anything from anywhere" type of people. That is not me.

          My chosen OS vendor provides the binaries for nearly all the software I require, ensuring no viruses or "PUPs" or other bundled shit. The rest is from trusted repositories.

          I also back-up my configs and "home" directory (well, I don't personally - it's automatic). No need to back-up the OS.

          Anti-virus is a band-aid for people who don't follow good security/backup practices.

  8. the idiotuk

    You can add Sophos to the list too.

  9. Sean Nevin

    ESET NOD32 is also "likely to be vunerable" according to the Checking tool.

    What's worse is that I'm also using EMET with its maximum settings.

    1. This post has been deleted by its author

  10. VIllage_Idiot

    It looks like McAfee/Intel Security responded to this back in August with a patch:

    http://www.scmagazine.com/vulnerability-found-in-mcafee-kaspersky-and-avg-anti-virus-softwares/article/459241/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022