While I've been at the iAWACS and EICAR conferences with somewhat erratic connectivity, it seems that Matousec have discovered The End of Antivirus As We Know It. Actually, a lot of people have been doing that this week, but that's a topic for a later blog. Fortunately, while I was trying to get a connection for long enough to comment without making sarcastic remarks about Matousec's web page and the invitation to flirt with nubile young ladies, Juraj Malcho, our Head of Lab in Bratislava, put something together for us.
Sometimes catchy headlines make news even if there’s absolutely no news. I guess they usually call it marketing. Or hype. Like here.
There’s been a great amount of discussion about the recent article from Matousec at http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php. So what’s the 8.0 earthquake problem? What did they really find out? Not much new really.
First of all, Matousec researchers are obviously unaware of previous works and terminology. What we have here is a specific example of TOCTTOU (time-of-check-to-time-of-use) attack – see http://nob.cs.ucdavis.edu/bishop/papers/1996-compsys/racecond.pdf or http://www.watson.org/~robert/2007woot/2007usenixwoot-exploitingconcurrency.pdf. But for an even better example, see http://seclists.org/bugtraq/2003/Dec/351, which pretty much describes the same thing as this innovative Matousec research.
Anyway, there is a vulnerability. And what is vulnerable is our SelfDefense module, which, speaking non-techie language, under certain circumstances could probably be bypassed, thus allowing software (malware) which would otherwise be blocked to perform some activities. What does that mean to our users? If your machine were to be infected by such hypothetical malware, there's a possibility that the scanner wouldn't see it. This has a number of implications:
As already mentioned, the vulnerability is there, but its magnitude is more of a pin dropping on the floor than an 8.0 earthquake, when it comes to its impact on the overall security of our customers’ PCs. However, we are looking into this to see how we can prevent these attacks in case we start to see them being misused.
To which I can only add, as I did to the press yesterday, that to suggest that "today's most popular security solutions simply do not work" on the strength of a long-known race condition issue in the operating is more than a little overstated.
David Harley FBCS CITP CISSP
ESET Research Fellow & Director of Malware Intelligence
Author David Harley, We Live Security