
Comodo Internet Security installs and starts a VNC server by default - daenney
https://code.google.com/p/google-security-research/issues/detail?id=703
======
stygiansonic
There was another issue[1] that also began with the phrase, "When you install
Comodo Internet Security...", which was also reported/discovered by Tavis
(Also had an HN discussion[2]) This phrase now sounds much more ominous to me.

Tavis also recently discovered this issue with another AV/security software
vendor[3] (Related HN discussion [4])

Is it bad that when I see one of these, I'm no longer surprised?

1\. [https://code.google.com/p/google-security-
research/issues/de...](https://code.google.com/p/google-security-
research/issues/detail?id=704)

2\.
[https://news.ycombinator.com/item?id=11021633](https://news.ycombinator.com/item?id=11021633)

3\. [https://code.google.com/p/google-security-
research/issues/de...](https://code.google.com/p/google-security-
research/issues/detail?id=693)

4\.
[https://news.ycombinator.com/item?id=10882563](https://news.ycombinator.com/item?id=10882563)

~~~
yborg
At this point "When you install Comodo Internet Security..." is the first half
of computer security punchline in which the joke is on the buyer of this
product.

------
zabuni
This is the most terrible part:

"This is an obvious and ridiculous local privilege escalation, which
apparently Comodo believe they have resolved by generating a password instead
of leaving it blank. That is not the case, as the password is simply the first
8 characters of
SHA1(Disk.Caption+Disk.Signature+Disk.SerialNumber+Disk.TotalTracks). I
imagine Comodo thought nobody would bother checking how they generated the
password, because this clearly doesn't prevent the attack they claim it
solved."

~~~
syntheticnature
I love that it's not just a generated SHA1 using known parameters, but just
the first 8 characters, thereby reducing the search space considerably even if
you cannot compute the hash.

~~~
TD-Linux
VNC passwords are limited to 8 characters in length.

~~~
shawn-butler
RealVNC (authoritative) is currently 255 characters. Older legacy
implementations may still be 8.

RFB protocol itself is agnostic[0]:

VNC authentication is to be used and protocol data is to be sent unencrypted.

The server sends a random 16-byte challenge: No. of bytes Type [Value]
Description 16 U8 challenge

The client encrypts the challenge with DES, using a password supplied by the
user as the key, and sends the resulting 16-byte response: No. of bytes Type
[Value] Description 16 U8 response

The protocol continues with the SecurityResult message.

[0]: [pdf]
[http://www.realvnc.com/docs/rfbproto.pdf](http://www.realvnc.com/docs/rfbproto.pdf)

~~~
shimo5037
Having had to implement VNC authentication a while back, I can assure you that
it is not agnostic, and you have inadvertently revealed the reason for that in
your own post.

Since the user password is used as the DES key, and DES key size is limited to
56 bits (plus 8 parity bits), your key can only be up to 7 8-byte characters
long. However, since ASCII only uses 7 bits, you give an 8 ASCII character key
instead, and the unused 8th bit of every byte is simply discarded. If the
password is shorter than 8 characters, it's just padded with zeroes.

Many VNC clients and sometimes even servers allow you to enter a longer
password, but as long as they're connecting to a the standard auth
implementation, they'll actually truncate your password to 8 characters during
operation. Yes, even RealVNC's client does that when only the standard auth is
possible. It will warn you that the connection is not encrypted, but it won't
let you know that your password just got slashed.

Defining alternate authentication schemes is possible, but require VNC clients
to add support for those. RealVNC has simply defined one of those. So everyone
should just implement that right? I think you'll find out the reason why the
standard auth is still so prevalent if you spend some time trying to find any
implementation documentation for it.

------
NelsonMinar
Comodo has a series of really awful security problems in their security
products. For example, they were the first major SSL certificate vendor to
publicly confess they were hacked issuing rogue certificates. Many of their
failures are more than just honest mistakes and suggest some very poor
decision making at the top.
[https://en.wikipedia.org/wiki/Comodo_Group#Controversies](https://en.wikipedia.org/wiki/Comodo_Group#Controversies)

I don't quite understand how they are still in business.

~~~
duaneb
The people making decisions about what security products to buy can be very,
very far removed from people who understand security. Windows defender, bless
it, has changed it to a security built on ignorance.

~~~
voltagex_
I count myself as reasonably informed about security threats, I've been
recommending Defender / Security Essentials to people instead of
AVG/Avast/Comodo/Symantec for home users.

Dismissive, brief statements like yours don't really help - they don't give me
enough information to go research whether I should be recommending something
else (including offering financial support to pay for subscriptions)

I know that Defender doesn't have the world's best detection rate but isn't it
better than an expired copy of McAffee?

Should I be recommending EMET? Virtual Machines? Qubes OS?

~~~
afreak
Here's a better question: how do you qualify a "good" anti-virus engine?

------
Animats
This backdooring by "security" vendors has got to stop. This needs to be
heavily publicized. Reach out to your press contacts. Comodo needs to feel
serious pain for this.

It's a good time to publicize this, because Apple is in the US national news
for refusing to crack Apple phones for the FBI.

------
AdmiralAsshat
It's really a shame to see how many holes their are in this product. It's
actually a nice (looking) product! It claims to handle everything for you:
Firewall, antivirus, spyware. It even an option to let you run an app in (what
it calls) a "sandbox" if you suspect the app might be harmful.

I had it installed on my Win 7 laptop for the past five years. It was a
program that did alot to make you _feel_ like it was protecting you, such as
displaying a pop-up whenever:

\- An app tried to connect to the internet

\- An app tried to execute or communicate with another app

\- An app tried to modify the registry

\- An app tried to read keyboard/mouse input

Part of it could be rather annoying (particularly when some applications like
Crashplan would try to auto-update and fail during the night because I wasn't
at my keyboard to approve the connection attempt that Comodo blocked), but it
did feel secure. After the last Comodo gaffe[0], however, I finally said
enough and uninstalled Comodo Internet Security and went with GlassWire
instead for my firewall.

[0][https://news.ycombinator.com/item?id=11021633](https://news.ycombinator.com/item?id=11021633)

~~~
Quiark
This kind of popups is exactly the psychological manipulation that vendors use
to make you feel good about using their products. Same for "cleanup" apps
which show a satisfying progress bar of how your device is "cleaned of all bad
things".

~~~
viraptor
To be honest, I really like the approach of network blocking. If you strip
everything bad from that product and leave just the interactive firewall -
it's great! Mainly because it's a whitelist rather than blacklist - so you
need to spend time configuring it, but then it really does the right thing.

Or at least tries to... does windows security expose the actual network
connection hooks to personal firewalls, or do they have to fight for dll hooks
in the same way as malware?

------
cm2187
I have comodo ssl certificates just because they are cheap but when I see how
bad they fuck up anything that has to do with security (like their chromodo
browser), I wonder if I shouldn't have bought shorter dated certificates. At
this pace it is bound that they lose their root certificate sooner or later.

~~~
daenney
If you're comfortable with the tools around it I'd highly recommend looking
into LetsEncrypt[1]. Doesn't cost you a thing either.

[1]: [https://letsencrypt.org](https://letsencrypt.org)

~~~
dsmithatx
Yes I believe these are also domain based SSL certs. Not really offering
security and I doubt insurance but, they are free.

~~~
zokier
Just curious, has anyone on HN ever successfully claimed money from SSL
certificate insurance?

~~~
cm2187
I doubt these CA can write insurance contracts themselves without being a
regulated insurance company so they must legally have an external insurance. I
would be curious to know how much they are paying on this contract.

The insurance bit is forced selling of an unwanted product. I am sure that 99%
of certificate buyers do not need more insurance from their certificate
provider than they need it from their hosting company, or the developers of
Apache and OpenSSL.

------
pmille5
Years ago Comodo made a decent app. With updates I've noticed the software
become scummier and less effective. I totally removed and CCleaned it away a
few years ago.

------
revelation
I guess the _fix_ is that they changed the password generation.

I mean, there is nothing to fix here: they purposely integrated that malware.
Working as expected.

~~~
pascalmemories
VNC is not malware. It simply should not be installed as part of a security
package, or at least users should be warned of the risks and told the default
option is to not install.

~~~
duncan_bayne
In this case, VNC is installed as part of the malware in question.

------
teh_klev
This sig at the bottom of Tavis's report:

> This bug is subject to a 90 day disclosure deadline. If 90 days elapse

> without a broadly available patch, then the bug report will automatically

> become visible to the public.

According to the sidebar the issue was reported on:

    
    
       Reported-2016-Jan-19
    

and:

    
    
       Deadline-90
    

Today is only 30 days since the initial report, why is this revealed today and
not in another two months?

~~~
jhgg
Reading the first reply:

>Regarding the vulnerability below, we have issued a hotfix on 10th of
February. >GB 4.25.380415.167 has the required fix and 90+% of existing users
are updated as of now.

Since the issue was fixed and rolled out, it was reasonable to reveal it
instead of waiting.

~~~
teh_klev
Ah, ok....thanks.

------
mosselman
So which anti virus and firewall SHOULD I use on windows? I am hardly on
Windows anymore, just for the occasional game, but I still want to have some
protection.

~~~
pritambaral
The one from Microsoft: Windows Defender (it's both) on Windows 8+

If you're on Windows 7, use Microsoft Security Essentials

~~~
ionised
Windows Firewall isn't particularly good though, and it could be assumed that
MS logging and telemetry (like the Windows 10 kind) will bypass it like they
do the hosts file.

