[Full-disclosure] KHOBE - 8.0 earthquake for Windows desktop security software
larry at larryseltzer.com
Thu May 13 22:16:52 BST 2010
Actually, a consensus is developing that their claims are greatly
The SSDT hooking they cite is only used on Windows XP (and server 2003)
and earlier. Starting in Vista SP1 Microsoft offered APIs that were good
enough that AV vendors didn't need to hook the SSDT and could co-exist
with Patchguard on 64-bit systems (the APIs are also on 32-bit Windows).
It's not even clear that Matousec actually tested all 35 of those
products to the point of exploiting them; all they did was to confirm
that they used SSDT patching (on XP). I asked them for comment on this
on the record and they didn't reply.
More than one antivirus vendor has said that their products are not
vulnerable to the technique. It's hard to say who is telling the truth,
but given all their overstatement matousec doesn't deserve the benefit
of the doubt.
Contributing Editor, PC Magazine
larry_seltzer at ziffdavis.com
From: full-disclosure-bounces at lists.grok.org.uk
[mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Marsh
Sent: Thursday, May 13, 2010 5:06 PM
To: Juha-Matti Laurio
Cc: full-disclosure at lists.grok.org.uk
Subject: Re: [Full-disclosure] KHOBE - 8.0 earthquake for Windows
desktop security software
Nice research! Thanks hmatousec.com for putting up the hard work of
testing all those products.
Anyone else notice the connection with the Systrace badness from a while
'Exploiting Concurrency Vulnerabilities in System Call Wrappers'
Perhaps Windows AV developers need to get out more.
On 5/13/2010 3:04 PM, Juha-Matti Laurio wrote:
> Some AV vendors have posted their 'is-the-game-over-or-not' type
> F-Secure: http://www.f-secure.com/weblog/archives/00001949.html
> Jeffrey Walton [noloader at gmail.com] kirjoitti:
>> Hi , Also known as a TOCTOU binding flaw (thanks GDM).
>> (dated 1996).
> On Wed, May 5, 2010 at 3:14 AM, www.matousec.com - Research
> <researchmatousec.com> wrote:
>>> We have found number of vulnerabilities in implementations of
>>> kernel hooks in many different security products.
> _______________________________________________ Full-Disclosure - We
> believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure is hosted and sponsored by Secunia.