back to article Predictable: How AV flaw hit Microsoft's Windows defences

Could it be that time spent by Microsoft on software security counts for naught? Possibly - based on the findings of an investigation by enSilo that found some of the best-known AV names are susceptible to new vulnerabilities. The results are alarming, suggesting an entire of ecosystem unwittingly opening a back door into …

  1. jason 7

    That's all very well...

    "This practice runs contrary to various security attack mitigation technologies Microsoft has introduced into Windows, namely the randomisation of memory (ASLR - Address space layout randomization) and preventing data from running in memory (DEP - Data Execution Prevention)."

    Yes but its all switched off by default. EMET helps switch it all on but really after all these years it's time to enable it in the OS by default.

    If it breaks a few 15+ year old bits of software then that's maybe time for a change.

    1. Field Commander A9

      Re: That's all very well...

      DEP breaks Counter Strike 1.6, which is still the most played version of Counter Strike in the country that has THE most population on the planet.

      1. Bob Dole (tm)

        Re: That's all very well...

        I have no doubt that Sierra Studios would get their act together and fix their software if all those customers suddenly couldn't play it anymore.

        1. jason 7

          Re: That's all very well...

          Indeed, I mean otherwise it's perfectly reasonable to keep every PC insecure by default to enable a 16 year old game to keep working.

          Either correct the code to modern security standards or put it out to pasture. Don't hold everyone else back.

        2. oldcoder

          Re: That's all very well...

          No... they would just want everyone to buy another version...

          The customers would still blame MS for producing crap in the first place.

  2. Anonymous Coward
    Coat

    How I read the article

    Security is really hard, best not try.

    1. Anonymous Coward
      Anonymous Coward

      Re: How I read the article

      "Most problems are simple. Simple things are hard."

    2. Anonymous Coward
      Anonymous Coward

      Re: How I read the article

      Symantec sucks. McAfee too. And others... They cost money.

      Microsoft's own security products are better. And free.

      Duh.

      This doesn't even include the fact that most 3rd party security software are a royal PITA.

      Like, duh.

      Uninstall the paid Frustrationware and go with MS defaults. Better in every way.

      1. Anonymous Coward
        Anonymous Coward

        Re: How I read the article

        Microsoft's own security products are better.

        Citation needed.

        I use MSE (or whatever it is called this week), but that's only because I'm a cheapskate, not because I believe it does a better job.

      2. MrDamage Silver badge

        To paraphrase another commentard...

        If MS Malicious Software Removal Tool is so great, why doesn't it uninstall Windows?

      3. Hans 1
        Boffin

        Re: How I read the article

        >Microsoft's own security products are better. And free.

        Check Windows Defender is up-to-date, that you have the latest malware removal tool from windows update. Ok, go and download VLC, OpenOffice, or Word Viewer, for example, from the advertised link in google, so from softpedia, 01net or whatever, install it, notice it also installs boxore and bunch of other crap (without informing the user), see how boxore installs plenty more BS, all while Windows Defender is scanning the hard drive, it finds nothing.

        Boxore has been around at the very least for 2 years, all major anti-virus products detect and remove it, except Windows Defender - or whatever it is called in your version of Windows.

        This is just one example, I have not personally been infected by boxore, just had to fix a handful of computers that were, all had fully updated Windows Defender, the first was two years ago, the last was 2 weeks ago. I always download software from the actual website, not via other services - so I have never personally encountered this.

        The instructions provided are based on accounts of victims.

    3. oldcoder

      Re: How I read the article

      That is why MS doesn't bother to even try.

      Besides, they get more money that way.

  3. jake Silver badge

    "Could it be that time spent by Microsoft on software security counts for naught?"

    Oh GAWD/ESS! Say it ain't so! My entire world will be for naught!

    (If anybody missed it, the above is sarcasm.)

  4. Forget It
    IT Angle

    How does MS's own Windows Defender fare here?

    1. graeme leggett Silver badge

      article says " Security products from Microsoft and others avoid the problem, according to preliminary testing."

  5. TRT Silver badge

    How about...

    a list of the OK AV?

    1. Anonymous Coward
      Anonymous Coward

      Re: How about...

      Avoid the paid Frustrationware.

      Just rely on the MS defaults.

      Done. Life will be much easier.

      1. oldcoder

        Re: How about...

        Tell that to the OPM, Madison Ashley, Bank of America, ....

        No, MS defaults are very very bad. MS hasn't had a decent secure design in years.

  6. Anonymous Coward
    Anonymous Coward

    What's amusing is that

    these security researchers blog is on Wordpress!

    1. Anonymous Coward
      Anonymous Coward

      Re: What's amusing is that

      These security researchers blog is on Wordpress!

      Before downvoting someone, you might want to follow the all links in the article.

      This link comes from the page hosted on Github linked in the article at https://github.com/BreakingMalware/AVulnerabilityChecker and the link below is the actual blog site.

      http://breakingmalware.com/vulnerabilities/sedating-watchdog-abusing-security-products-bypass-mitigations/

      Go all the way to the bottom of the page and tell me what it says. What did you see?

      "Proudly powered by Wordpress"?

      The fact is that it seems somewhat ironic that a "Security" researchers blog is on the most insecure blogging platform out there.

      1. harmjschoonhoven
        Unhappy

        Re: What's amusing is that these security researchers blog is on Wordpress!

        Don't know how insecure Wordpress is. However validating websites Proudly powered by Wordpress with https://validator.w3.org/#validate_by_uri give in most, but not all, cases a long list of errors and warnings.

        For http://breakingmalware.com/vulnerabilities/sedating-watchdog-abusing-security-products-bypass-mitigations/

        Warning at Line 113: The banner role is unnecessary for element header.

        Error at Line 115: No space between attributes.

        Error at Line 121: Start tag a seen but an element of the same type was already open.

        Error at Line 121: End tag a violates nesting rules.

        Fatal Error at Line 121: Cannot recover after last error. Any further errors will be ignored.

  7. Psymon

    The MS platform is pretty robust these days, but it only takes one bad Apple

    Watching the last decade play out in the IT world, I think the biggest surprise for me is just how much I like MS products. Yes, Redmond have made huge leaps in security technology, and in many ways the Windows OS is superior to some, but I’ll tell you where TRUE security comes from, and it’s not down to writing code that checks for buffer overflows.

    Rewind to the start of the millennium, and if you so much as mentioned Bill Gates to me, the room would be filled with the palpable taste of tin as my rage and vitriol spewed forth. I hated the company for stifling the software ecology, killing the shareware culture, and stamping out the competition with unfair practices, forcing me to use their inferior products.

    I think the first twinkle of change began with Win2k. At least when it crashed, I could restart the explorer process. Woo hoo! Then XP came along, and I was actually very impressed with it’s multiple display capabilities. I became a sysadmin shortly after that. It was then that my eyes began to open. You’ll never really fully understand the power and flexibility of the MS platform until you’ve played with Group Policy Management in a domain environment. It’s only then that the tip of the iceberg reveals itself to you, and you begin to understand the point of the registry, and what all these “useless” services running in the background are for that you keep disabling.

    I was running a medium sized school network at the time when the Sasser worm struck, which triggered Bill Gates’ famous “security security security” email that changed the companys focus. When the Sasser worm struck our network, it was unable to cause any damage. The details are a little hazy (it was a long time ago), but it was due to my disabling of certain services and file permissions via group policy, that prevented it from being able to install.

    Even back then, it began to dawn on me that as long as you worked professionally, the MS stack was the least of your worries. The first warning shot was Firefox. Yes, when you compared them on a technical level at that time, Firefox was faster, more secure, and had more features. What it didn’t have was central management. You couldn’t even define the home page centrally, let alone restrict what plugins it could use, and this factor proved more important than any other, especially when you had over a thousand school kids hammering away at your security, visiting dodgy sites.

    IE7 may have been riddled with ActiveX vulnerabilities, but you could create a white list of sites that were allowed to call them, and even restrict plugins like Flash to only running on specific sites. You could also spot at a glance in WSUS if any of your computers hadn’t installed any security updates that were being actively exploited. Firefox on the other hand, was a black hole on your network. I was once called by a teacher who said certain website weren’t displaying correctly. Turns out, he refused to update from Firefox 1.0, because he liked the look. Naturally, his laptop was infested.

    Fast forward to today, and this situation is even further polarised. MS have been so focused on security in the last decade, their products are the least of my concern. It’s the unholy trinity of Java, Acrobat and Flash I have to worry about. Ironically, I keep them patched using a combination of Ninite, and SCCM to deploy the patches. And now, we have the Internet Of Things to worry about.

    Historically, Unix may have been a superior network platform, and hence the various ‘nix flavours had a technical advantage, but this means diddly squat in the real world. Where is Samsung’s version of WSUS, to alert me that the smart TV hanging in the foyer is unpatched, and could pwn my network at any minute? Or the HP printers? Or the Canon Scanners? Or the Linksys access point the sales team bought with their own budget?

    Even when they do have some management/patching tools, with weary inevitability, I find myself thinking something me of ten years ago would be horrified to hear. “I wish this was as good as Microsoft.”

    Every single OS and software product has vulnerabilities waiting to be exploited. The real only security is in central monitoring, and control.

    1. Anonymous Coward
      Anonymous Coward

      Re: The MS platform is pretty robust these days, but it only takes one bad Apple

      "The real only security is in central monitoring, and control."

      But central monitoring and control, unless implemented perfectly, then becomes the backdoor to focus on, just as a government encryption backdoor is immediately the target of state-level spying.

      1. Psymon

        Re: The MS platform is pretty robust these days, but it only takes one bad Apple

        The only place perfection exists is within theoretical mathematics. While I understand your point that the monitoring and management layer could be targeted, any system without management and monitoring is more susceptible by factors, and therefore less secure by factors.

        It’s an engineering compromise. Just as perfect security would require putting several bullets through the hard disk of the device. Even air-gapped computers are vulnerable if the human that gains access is compromised, but knowing that a compromise is occurring, or that a vulnerability has just appeared is vital information.

        I think your back door analogy is somewhat flawed, because the two motivations are radically different. The proposal to put a back door in existing encryption technologies is not to ensure that the encryption technology itself is functioning properly, just as the monitoring and maintenance software does not tell me what the user is typing into word right now. One is aimed at bypassing the inherent security, while the other is geared to ensure it stays up. Therefore, using the former for malicious intent is a lot easier.

    2. Anonymous Coward
      Anonymous Coward

      Re: The MS platform is pretty robust these days, but it only takes one bad Apple

      Historically, the reason BSD got so tough was you had damn near anyone with an account at UC Berkeley and the other UC's trying their damnedest to break, and break into, it. That breeds into it resilience. So it's no surprise that the pattern recurs. [Predation response.]

    3. Anonymous Coward
      Anonymous Coward

      Re: The MS platform is pretty robust these days, but it only takes one bad Apple

      Yes, it's so secure there are ZERO windows bots out there and no windows user is ever pawned. Did you think about what utter shite you just posted. How many times does a competent software company have to fix a file such as tcpip.sys?

      1. patrickstar

        Re: The MS platform is pretty robust these days, but it only takes one bad Apple

        There are tons of compromised Windows clients. Why? Because there are tons of Windows clients.

        There are tons of compromised *ix servers. Why? Because there are tons of *ix servers.

        In fact, that's how the Windows clients get compromised in the first place, by exploits served up from compromised *ix servers. Just recently two completely random, non-seedy sites, both running on *ix, have served up IFRAMEs to Russian exploit packs trying to compromise my Windows box...

        The major server-side security issue today is Web applications, most of which can run on both Windows and *ix. The MS specific ones (ASP.NET) are at least not worse than the rest, arguably better than certain (*cough* PHP *cough*).

        The major client-side security issue today is Web browsers, most of which (Chrome, Firefox, Safari) can run on both Windows and *ix. The MS specific one (Internet Explorer) is at least not worse than the rest (it used to be though, back in the days of IE 5-6).

        As for networking stack bugs, I can more than assure you that all full-weight stacks go through regular bug fixes. Look at the diffs of the Linux (or whatever) kernel if you don't believe me.

        They also all have occasional, but rare, remote vulnerabilities (MS08-01, Linux SCTP, OpenBSD IPsec...).

        1. el_oscuro

          Re: The MS platform is pretty robust these days, but it only takes one bad Apple

          Rare remotely exploitable bugs? In Microsoft? Just last week, they released patches for 71 new vulnerabilities across their entire product line, many which are remotely exploitable:

          Need to p0wn a DNS server? Microsoft has got you covered.

          http://www.theregister.co.uk/2015/12/08/patch_tuesday_december2015/

    4. Paul Crawford Silver badge

      Re: The MS platform is pretty robust ... Firefox

      Yes, this is a sore point also on most Linux systems as well. If there is one sane thing that the Firefox management could do for their products and the world at large, it would be to focus on making a browser that was easy to secure and designed to enforce a respect for privacy.

      That means having a simple way of using central management tools to set parameters and to force/block plug-ins that are centrally defined, and to have a sane limit on what the browser should ever need to access so things like apparmour profiles are trivial to use without issues. And this goal should be thought through so it works using WSUS and several of the Linux options (both per-machine via local admin, and centrally for the network).

      As far as privacy goes, this means reporting only one of a few configurations so its not easy to fingerprint for tracking (and/or randomly reposting different bits every time so no two sessions on a given machine look alike, e.g. dithering on canvas draw etc). It also means having a design so things like history and cookies are all isolated from javacript and plug-ins by default, and only signed plugins that ask for permission and are granted it can use it. And that denying access just returns a near-blank list, like a fresh browser install, so a plugin can't tell if it has real access blocked or not.

      So please Firefox team, quit dicking around with the GUI to look like chrome, quite removing features because you can't be arsed to support or test them, and focus of having a selling point that system admins want - an easy life of little trouble from users, idiot or otherwise.

      1. Havin_it
        Holmes

        Re: The MS platform is pretty robust ... Firefox

        I would have thought that Firefox's design lent itself quite nicely to central management, from my own mucking-about with it some years back (or is this what they've "ripped out" feature-wise?).

        I found the config options, and scope for the user to override them, could be quite effectively locked-down with judicious use of the user.js, userChrome.css and userContent.css (to all of which the user could be denied write-permission without problems). Of course it was also necessary to ensure they couldn't invoke the profile manager to escape this "jail", but that is certainly beyond the scope of the browser itself.

        I've recently been playing around with the Sync feature, and it occurs that in tandem with the above, an in-house Sync server (not the easiest thing to achieve, but doable) could go a long way towards enforcing and managing a stock config across a whole enterprise.

        As to why the developers haven't made it play better with existing security/management tools: well, it's their choice and none have had the motivation. Perhaps that means there hasn't been sufficient demand? Only recently was there sufficient clamour for an LTS release channel, but now there it is. Ditto the Aurora channel. Remember also that some of FF's best features have started as add-ons, so if there isn't sufficient core dev interest, why is there not an addon project underway that addresses the needs of seat-wrangling control-freaks? Use the Source, mook! (Sorry, couldn't resist...)

    5. druck Silver badge
      Thumb Down

      Re: The MS platform is pretty robust these days, but it only takes one bad Apple

      Compared to Windows 95 undoubtedly the security of Microsoft products have got better. But compared to commercial UNIX's, BSD's and Linux, it's got at least twice as far again to go.

      1. patrickstar

        Re: The MS platform is pretty robust these days, but it only takes one bad Apple

        Commercial UNIX? Solaris doesn't even come with proper DEP (only noexec_user_stack) and no ASLR. It's a good system in many ways, but not something you'd want exposed (either client- or server-side) to the sort of people who'd attack it.

        BSDs? Not enough exposure nowadays to form a good opinion IMHO. Dodgy history, especially kernel-wise. I expect there to be more. At least they tend to ship very minimal standard installations.

        Linux?

        As a stock desktop: Chances are you'll be running the same browser as you would on Windows. And once code is running in the browser, going from a sudo-enabled account to root isn't exactly rocket science. Windows loses here if it's just UAC (but not by a huge margin), but probably not if you're running as a proper non-admin account. In case of proper sandboxing, this is likely to fail on either system, but is somewhat compensated by the horrendeous security history of kernel/drivers on both. Windows has a larger attack surface here (Win32k), though post Win8 or so sandboxed processes can be prevented from touching it. Certain drivers (Graphics in particular) are likely going to screw you in either case.

        Stock server: Start running dodgy/complex web applications and you're likely screwed, either due to a targeted attack or mass automated compromise. Hell - there's even PHP ransomware nowadays.

        Customized, hardened server, stripped-down kernel with grsec (chroot hardening, UDEREF/KERNEXEC, TPE/MPROTECT, ...), services running properly jailed with minimum privs, no SUIDs, etc etc.: Here is where Linux shines security-wise. The advantage of the *ix's (and other open source and/or highly modular systems) is that you CAN actually do this. Not that many people do (how many people even build their own kernels nowadays?) For the record, this is the only setup I'd ever dream of letting untrusted users login/run stuff on.

        So, they all suck. Sad state. MS could improve by moving Win32k back where it belongs (core NTOSKRNL is, for the most part, really good code and pretty tight). Linux could improve by having the mainline kernel developers (and distro packagers) clue up security-wise.

    6. a_yank_lurker

      Re: The MS platform is pretty robust these days, but it only takes one bad Apple

      The real problem is that Winbloat tends force regular users to create a non-admin account. Most SOHO users never set this account up. Also, Winbloat does not have a decent app store/repository system for vetting and installing all software. This forces users to track down installers that are often loaded with crapware. Patch management seems to be hit or miss with Slurp to add to user woes.

      Back to the article, it seems whatever Slurp is trying to do to improve security is being undermined by sloppy coding by various third party "security" packages. Rather ironic, a major Winbloat insecurity is absolutely not at Slurp's door.

      Maybe the best solution for Slurp is to completely rewrite Winbloat even if it means breaking some PHB's favorite, excessively obsolete package.

    7. Fuzz

      Re: Or the HP printers?

      It's called webjet admin, centralised patching, reporting etc. etc. for your HP printers.

    8. Hans 1
      Coffee/keyboard

      Re: The MS platform is pretty robust these days, but it only takes one bad Apple

      >I think the first twinkle of change began with Win2k. At least when it crashed, I could restart the explorer process. Woo hoo! Then XP came along, and I was actually very impressed with it’s multiple display capabilities. I became a sysadmin shortly after that. It was then that my eyes began to open. You’ll never really fully understand the power and flexibility of the MS platform until you’ve played with Group Policy Management in a domain environment. It’s only then that the tip of the iceberg reveals itself to you, and you begin to understand the point of the registry, and what all these “useless” services running in the background are for that you keep disabling.

      UNIX has had GPO-like functionality since the dawn of time, before Windows had TCP/IP. Not only that, but you can control anything, any piece of software written to run on the platform. AND, you can do one thing GPO cannot, and that is control configuration files. Remember, on UNIX, everything is a file. You can configure push/pull, shit, you can even version control your settings!!!!! Diff, patch,merge, how do you do that in the wonderful world of GPO ?

      Now you have puppet, and that is not even the same league as GPO, because it supports WAYYYYYY more features for Windows clients than GPO, supports "almost" anything out there - go look at the modules. https://forge.puppetlabs.com/

      >Even back then, it began to dawn on me that as long as you worked professionally, the MS stack was the least of your worries. The first warning shot was Firefox. Yes, when you compared them on a technical level at that time, Firefox was faster, more secure, and had more features. What it didn’t have was central management. You couldn’t even define the home page centrally, let alone restrict what plugins it could use, and this factor proved more important than any other, especially when you had over a thousand school kids hammering away at your security, visiting dodgy sites.

      Again, you cannot control Firefox out-of-the-box with GPO because GPO cannot control configuration files. You can hack Firefox pretty easily so it reads stuff like site whitelists, homepage, etc from the registry, even use the IE whitelist, homepage, disable individual plugins or disable all plugins altogether. etc it is pretty easy, if you know JavaScript.

      Firefox was designed for UNIX.

      >Historically, Unix may have been a superior network platform, and hence the various ‘nix flavours had a technical advantage, but this means diddly squat in the real world. Where is Samsung’s version of WSUS, to alert me that the smart TV hanging in the foyer is unpatched, and could pwn my network at any minute? Or the HP printers? Or the Canon Scanners? Or the Linksys access point the sales team bought with their own budget?

      Who in their right mind plugs a smartTV into their network???? As for printer and scanners, in UNIX, the printer driver is a ppd file, no 500Mb download that takes 3 reboots to install. SANE does a pretty good job at detecting scanners, from my experience at least. Besides, on UNIX, when you use the repos, which you do 99% of the time, ALL SOFTWARE IS KEPT UP-TO-DATE, and Linux 4.x means that you no longer need to reboot, even when you update the kernel.

      In UNIX, what would be considered server software is available in the repos, comprised in your support contract, if you need one, such as databases, diverse servers (mail,) ... you can even have all Linux/FreeBSD boxes use your own repository, an intern can set that up in 5 minutes (not including download time, largely depends on which software you want in your repo).

      Now, go back to your crayola, please.

  8. Malcolm 1

    AV has always been a potential risk

    Outside the basic OS services, I would wager that there are very few other commonly installed applications with the system privileges enjoyed by a virus scanner - it has system hooks everywhere (almost by definition). It's also the first in the firing line for any code of dubious origin (also by definition).

    Now you'd like to think that all AV products were crafted by the finest, most security aware development teams in the known universe, but the evidence often indicates otherwise. If I was a malware writer I think AV products would be very high up my hit list so this sort of attack seems entirely unsurprising.

    1. Anonymous Coward
      Anonymous Coward

      Re: AV has always been a potential risk

      One of Microsoft's biggest problems was that they cleverly included all kinds of API links between their office products and Windows, thus creating a security nightmare that took W7 to make fixable. It's like putting up a building where every room leads into another room by an unlocked door, and then trying to secure it by trying to lock all the windows. That people need to open.

      AV is an attack vector because it's like a security guard that has the keys to all the windows in the building. No matter how efficient the security guard, mug him and you have all the keys.

      But designing a properly secure system would mean that every single application programmer would have to follow best practice all the time - the equivalent of putting locks on all the internal doors so that anybody getting in through a window is still in a locked room. And applications would need to be properly sandboxed, which means that the approach of click on everything and it will run is dead. Realistically, the whole app-based ecosystem becomes history.

      It's possible to think that may be where we end up, even so.

      1. Anonymous Coward
        Anonymous Coward

        Re: AV has always been a potential risk

        Aside from point-and-click goodness, I'm looking at Qubes for exactly the reasons you cite. Especially for internet facing.

        1. Anonymous Coward
          Anonymous Coward

          Re: AV has always been a potential risk

          "Aside from point-and-click goodness, I'm looking at Qubes for exactly the reasons you cite. Especially for internet facing."

          Thanks a lot for that; I had lost track of the project and thought it had sunk. Now I'm going to catch up.

          Oh, and if only more technical people could write as clearly as Joanna Rutkowska.

    2. patrickstar

      Re: AV has always been a potential risk

      The reason there are no widespread AV attacks is simply that there are so many of them. They are just as exposed as the stuff normally targeted (browsers/plugins...), happily running loads of complex parsers on anything that comes by the computer, and are universally either:

      -really crappy code

      -really heavily optimized code

      or a mix of the two.

      AVs can't usually be fingerprinted from the browser - except when they actually install a browser plugin I suppose - so you'd need to try a whole bunch of exploits against anyone that drops by with the proper OS version. Quite noisy.

      Plus malware distributors are probably afraid of the associated heat and attention. Targeting an AV would really bring them on your ass.

      However, for targeted attacks, I am more than certain that the usual TLAs, spooks and industrial spies have a whole arsenal of AV exploits.

  9. Camilla Smythe

    Had to update my XP VM recently.

    I wanted to use it for something 'only' Windows could do. AVG was part of that thankless task as well as Flash, yadda, yadda, yadda, with the threat of Chrome and a Google Search bar.... Fuck me I should have done Acrobat as well to invite Jeeves to the disk thrashing party, along with various 'balloons' repeatedly popping up trying to be 'helpful' or warning me about shit I already knew about. I gave up on the browser coming up after 30 minutes, 35 if you include getting it to respond to the request to shut it, the system, down.... Then it blithered on about waiting for it to install updates so I put myself out of my misery from the VM panel. I might try it again when I don't have a Mistress on hand to Kick my Head in whilst I'm repeatedly screaming Banana at her through what's left of my teeth.

  10. Bucky 2

    For some values of "Resolved"

    enSilo states this issue is yet to be resolved - a claim firmly denied by Intel Security, which said it patched the bug in late August.

    I'd argue that if the end user must think to search out a bug, find a patch, and then install it manually, that bug doesn't get to have the staus, "closed." Until it's rolled out in an automatic update, it's in "testing" at best.

  11. JeffyPoooh
    Pint

    Y'all should have stuck with the Harvard architecture...

    As soon as you put data and executable code into the same memory space, you've set yourself up - inherently - for computer insecurity. And there's NOTHING you can do about it.. ..until you separate these two spaces in hardware.

    Within 5-10 years, hardware will be fast enough that you'll see malware that brings along a virtual environment for the stooge OS to live. Scanning a computer will be like sitting a lying criminal in a chair and asking him if he's innocent or guilty. USELESS.

    Next issue is that hardware is being replaced with software. E.g. USB controllers are now ARM processors, and malware can hide in the controller, invisible to "security scanning" the flash. This is only going to get worse and worse. You can NEVER certify a system as secure. Inherently impossible.

    HOPELESS. By design. Sensitive systems need to be Harvard architecture with certified code in hardware write-protected or write-once ROM.

    Most of this was known by the late 1930s, perfectly obvious from Turing equivalence.

    1. patrickstar

      Re: Y'all should have stuck with the Harvard architecture...

      Sorry, but no guarantees that will help either. See http://www.theregister.co.uk/2009/08/12/sequoia_evoting_machine_felled/

      1. Michael Wojcik Silver badge

        Re: Y'all should have stuck with the Harvard architecture...

        Sorry, but no guarantees that will help either. See http://www.theregister.co.uk/2009/08/12/sequoia_evoting_machine_felled/

        Or any of a huge array of other attacks that don't require executing code from data pages. ROP attacks, for example. Or classic trojans and social engineering.

        At any event, before you go with a true Harvard architecture and physically separate I/D, it'd make more sense to use a capability architecture, which gives you most of the benefit (and a substantial improvement over a half-assed page-protection mechanism, even if the latter were used properly by the OS) with a lot more flexibility and features.

  12. Michael Wojcik Silver badge

    Half points

    Exploiting the vulnerability is far from a theoretical risk, according to enSilo. It argues that Tavis Ormandy from Google’s Project Zero exploited a vulnerability in Kaspersky’s technology back in September that he uncovered through fuzzing. All this really proves is that security products have flaws too, we'd counter-argue.

    A rather weak counter-argument, since Ormandy's attack on Kaspersky was possibly precisely because they had disabled DEP. Which is the whole point.

    The issue isn't that security products have flaws; it's that they often have flaws they shouldn't have, because those flaws are trivial to prevent.

    Though to Kaspersky's credit we might note that Ormandy writes in his blog post that their response when he notified them was excellent.

  13. Anonymous South African Coward Bronze badge

    What about a default-deny OS?

  14. oldcoder

    MS... Billions for mitigation...

    Nothing for prevention.

    Which is why Windows is such a poor system for mission critical operation.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like