Security vendors respond to Matousec researchby Steve Ragan - May 13 2010, 11:00
Researchers at Matousec said they have discovered a serious flaw in the traditional desktop-based anti-Virus protections offered by thirty-five vendors. The flaw allows someone to completely bypass those protections and attack the targeted system. The Tech Herald spoke to some of the vendors affected. Their statements and thoughts are below.
When contacted, each vendor was asked for a general statement and then asked to answer three additional questions about the Matousec research. Unfortunately, not all of the vendors contacted responded. Those that did gave a statement, commented on the questions, or both.
The questions asked are below.
What is your overall thought on the research?
What are you doing to address the issues raised by the paper?
Are there mitigating issues that need to be addressed that were not included in the research?
Given the headlines, we thought it was fair to allow the vendors impacted by the Matousec research to speak on their own. This follow-up contains their thoughts and nothing more. If you want to read the original story, you will find it here.
“Kaspersky Lab experts have analyzed the paper and concluded the issue is only linked to certain features of the Company's products. The System Service Descriptor Table (SSDT) contains the addresses of all of the operating system services and it is important to use SSDT hooks to provide better protection. However Kaspersky Lab products implement not only SSDT hooks, but a wide range of technologies, including secure sandboxing and other methods of restricting suspicious kernel mode activity.”
(Roel Schouwenberg, Senior Anti-Virus Researcher answered the questions as well.)
1. What is your overall thought on the research?
Well, this research is not new. This attack was first mentioned in the 90s as a theoretical attack and resurfaced in 2003. Since then a lot has changed. Today, security products contain a lot of different layers to protect against unknown malware.
What's important to realize is that this could only affect our products when dealing with unseen malware, which is not blocked or detected by our pre-execution heuristics technologies. Therefore I think that the impact of this vulnerability is limited. The nuisance is that the vulnerability is also exploitable in user mode.
2. What are you doing to address the issues raised by the paper?
Well, I'm not necessarily convinced this approach is going to be widely adopted by malware authors. When we'll encounter malware samples using this technique we can simply add a new heuristics to our engine that will work together with our multi layer defense strategy.
3. Are there mitigating issues that need to be addressed that were not included in the research?
There are no mitigating issues that I am aware of right now. Though I'd like to add that, unfortunately, cyber criminals find ways around security products on a daily basis. Next to that, technique can be hard to implement correctly. So, I don't think this technique is going to be a game changer, and depending on how the bad guys would implement the code we might not have such a hard time detecting such samples before execution heuristically.
"McAfee is aware of an article by researchers at Matousec that describes a way cyberattackers might be able to bypass numerous Windows security applications. Based on our initial review of the public documentation, we believe this is a complicated attack with several mitigating factors that make it unlikely to be a viable, real world, widespread attack scenario. For example, the attack would require some level of existing access to the target computer, as the attack described by Matousec does not on its own bypass security software or allow malware to run."
Comment from Catalin Cosoi, Senior Researcher for BitDefender.
“Matousec described a very specific set of circumstances that need to be in place for this type of attack to be successful - as they point out, the attacker must already be able to run executable code of the user's machine. Our solution is focused on preventing initial attacks. That said, we take every potential vulnerability seriously, no matter how unlikely, and we're devoting resources to make sure this doesn't present a realistic threat to our users.”
Comment from David Harley, Director of Malware Intelligence for ESET.
“It's not exactly a new idea, except, apparently to Matousec, and except in the slightly misleading suggestion that it's specific to antivirus. It's actually a far more generic issue."
“If a specific malware threat appears that makes use of it, the AV industry will certainly address it specifically in the usual way. Now the idea has attracted so much attention, security developers may look at whether it is possible to forestall more-or-less generically tricks inspired by Matousec's re-interpretation of older research.
[See also: http://seclists.org/bugtraq/2003/Dec/351 -ED]
“However, to suggest that "today's most popular security solutions simply do not work" on the strength of a long-known race condition issue in the operating seems a little overstated.”
Sophos’ Senior Security Advisor Chester Wisniewski answered the three questions.
“It does not have an impact on Sophos products. While it may be interesting from a theoretical standpoint, it requires your machine to be infected with malware first, in which case all bets are off. The goal is to prevent infection in the first place. It also has requirements on hardware such as needing multiple cores and expects certain protective behaviours. To implement the attack on a single core would be quite complicated and not likely worth pursuing compared to other vulnerabilities that are easier to execute with similar results.”
“There does not appear to be a risk to our product. If malware were released that attempted to use these techniques (There is no indication this attack is in the wild) we would detect it using our traditional layered defences. The key here as with any threat is to have defence in depth and ensure as many opportunities to stop a threat as possible.
“Like any other malicious code if it were to be developed and utilized detection methods could be used to prevent the code from executing. Our software does not use the defences outlined in the paper, so no further mitigation is necessary. If code were to be developed in the wild we would write protection against it like any other malware whether it has an impact on our product suite or not.”
Comments from Vincent Weafer, Vice President, Symantec Security Response.
“Symantec is aware of the research. This is a narrowly focused test that examines potential bypass techniques for any security solution that implements kernel mode hooking. This is precisely why Symantec adds multiple layers of security to our products in order to prevent malware, and in this case, even the code that would facilitate the substituting of benign code for malicious code, from getting onto users’ computers in the first place. In particular, Symantec’s Intrusion Prevention (IPS) and Reputation-Based Security play a large role in blocking these types of threats. These additional layers of defenses were not examined as part of the matousec.com investigation.”
Sunbelt Software Chief Technology Officer Eric Site emailed gave the following comment.
“The matousec.com blog published a possible attack method that could be used for researching actual vulnerabilities. All of the security products he listed may or may not be vulnerable to this method of attack.”
“VIPRE uses SSDT hooks only for older version of Windows and then only sparingly where APIs provided by Microsoft don't exist or are too buggy to use. VIPRE does not use SSDT hooks for 64-bit versions of Windows because of Microsoft's PatchGuard technology and Microsoft new APIs for security software. That said we are reviewing our drivers to make sure our products are not vulnerable to the method of attack.
"If any of the vendors' security products do have an actual vulnerabilities to this attack method it is very sad that matousec.com did not use responsible disclosure and give the security vendors time to review their products before publicly disclosing this information and putting everyone at risk.
“Matousec.com notified us about the attack method and possible vulnerability on April 20th and then promptly released this information on May 5th which does not give any vendor time to review tens or hundreds of thousands lines of code to hunt for possible vulnerabilities. And no time at all to fix, test and deploy updated versions of security products. This is very sad and very irresponsible."