back to article Flaws found in security products from AVG, Symantec and McAfee

Hundreds of security products may not be up to the job, researchers say, thanks to flawed uses of code hooking. The research is the handiwork of EnSilo duo Udi Yavo and Tommer Bitton, who disclosed the bugs in anti-virus and Windows security tools ahead of their presentation at the Black Hat Las Vegas conference next month. …

  1. Mark 85

    From the link, it's looks like just about every AV firm got hit with this. See icon.......

  2. Anonymous Coward
    Anonymous Coward


    ... and you breed in weakness..

    It's a quote from the English adaptation of one of my all-time favorite Anime movies: Ghost in the Shell. And I can't help think that it applies here. Over the years anti-virus suites have expended to tremendously and also started entering fields where it became obvious that the company had no clue what they were doing (basically: they lacked experience). A classic example would be Avast which at one point introduced their Internet security suite. Unfortunately their firewall couldn't cope with many parallel connections, and if things got too much it could even crash your entire machine. It didn't take much: a custom Java application which I once wrote to control some other servers was sometimes enough when it sent multiple commands in a somewhat shorter time frame.

    Of course things have changed and got improved over time. And sure: it is true that the amount of threats (and the diversity) has also changed and expanded over time. This isn't a clear right or wrong kind of scenario.

    But I do think that some anti virus suites are overdoing things and making it much too complex. Right up to a point where it can even slow your whole computer down. While they still manage to also leave important aspects out. For example, personally I think that ad blockers should be right there on the list of security software, yet many companies seem to oppose that idea (gee, I wonder why...).

    1. Anonymous Coward
      Anonymous Coward

      Re: Overspecialize...

      Decent points but Ghost in the Shell is what regular movies would look like if Tojo wasn't hung (nationalism run rampant). When bushido is more important than winning you do shit like run out of pilots because it would dishonor them to send them back to train. When your enemy doesn't have that problem the sun rises twice.

  3. gollux


    Humorously, we'll find that an OS with the latest patches available, web browser with downloads disabled, minimal acceptance of file types and email clients that only accept a minimum of file attachments will be about as safe as we can get for the next couple months... (RIP Bloated AV Suites)

    Maybe time to start thinking about that mission specialized barebones *nix box if you don't already have one.

    1. Baldy50

      Re: AT WHICH POINT...

      Smart TV's run OS's, web APIs and would not have the processing power to run AV suites, add on boxes too.

      With the capability to browse the Internet and online streaming how can this ever more popular device be protected?

      Some of the TV manufacturers have written their own versions of popular mobile OS's and from some of your comments on here I wonder how sloppy the coding might be.

      1. Anonymous Coward
        Anonymous Coward

        Re: AT WHICH POINT...

        I think it is safe to assume that any smart TV has so many exploitable holes that leaving it exposed to the internet, or using it to make any outgoing connections at all beyond well known sites like Netflix is the equivalent of browsing porn sites on a PC running Windows XP without service packs, with IE6 and Flash installed.

        1. Anonymous Coward
          Anonymous Coward

          Re: AT WHICH POINT...

          "the equivalent of browsing porn sites on a PC running Windows XP without service packs, with IE6 and Flash installed."

          You mean I shouldn't?

    2. Aodhhan

      Re: AT WHICH POINT...

      ...will you get off your *nix high horse and realize this isn't an OS problem. Apparently, you're so stuck on *nix, you don't understand exactly what is going on here.

      I'm not partial to one OS over the other, but realistically, I'd put the Windows OS up against *nix for memory hooking/corruption monitoring any day. So will any other penetration tester. So fuzz up your favorite *nix application, and if you look hard enough you'll like find somewhere you can stick a NOP sled and have it point to your favorite malicious code. The only thing keeping someone from taking advantage of it, is the very endpoint software you are so epically calling, "bloated".

      ...or stick to your barebones *nix OS and run your favorite application which does just a few things or was compiled in 1988.

  4. Ken Moorhouse Silver badge

    "re-routing Win32 APIs underneath applications"

    I'm unfamiliar with the nitty-gritty of how anti-malware software receives its inputs, but it looks to me from that description that a root-kit author "simply" needs to impose itself between these hooks to give downstream apps a false sense of security.

    1. This post has been deleted by its author

  5. Anonymous Coward

    Flaws found in Windows API

    I would have thought the flaws were in the Windows API, but then again, what do I know as compared the combined intellectual capacity of IBM, Intel and Microsoft. Detours should have carried a health warning, something like: Detours is unsuitable for use in Internet facing security applications. but then again neither is Windows.

    "Detours is a library for instrumenting arbitrary Win32 functions Windows-compatible processors. Detours intercepts Win32 functions by re-writing the in-memory code for target functions. The Detours package also contains utilities to attach arbitrary DLLs and data segments (called payloads) to any Win32 binary."

    How else is AV software supposed to function, since that is basically how they work, transparently intercepting system calls and running a pattern recognition engine on the executable in memory, in the hope of spotting something malicious.

    1. Aodhhan

      Re: Flaws found in Windows API

      You can not be serious.

      Externally facing OSs has nothing to do with this vulnerability. Apparently, someone has an agenda, is blindly ignorant, or both! You think you can just see a Microsoft OS box, yell, "Weeee... I can take advantage of this vulnerability"?

      There are many ways AV applications use to review code. Hooks during dynamic testing of the code is just one method. It's a little more complicated than just looking for a bunch of NOPs in memory.

      I have no favorite OS. However, as a penetration tester I will say this... I have more success against externally facing *nix systems than I do externally facing Microsoft systems.

      1. gmathol

        Re: Flaws found in Windows API

        I work for European banks and we have the nix policy in place for a long time. There is no connection to the Internet and it is not needed - business/technical papers are available in the Intranet. Best thing is - it keeps employees from surfing the Web during work time. Of course there is no wireless accept the wireless smartphone the employee owns and there is of course no link to the mainframes or servers. Our bank application using a two phase authentication which is encrypted and which uses extra hardware plus a smart card which stores nothing. Trouble with fraud - nope.

  6. Anonymous Coward
    Anonymous Coward

    And suddenly ..

    .. not using Windows at all looks like a good idea..

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like