
Exploitable vulnerabilities found in Kaspersky Anti-Virus - EthanHeilman
http://googleprojectzero.blogspot.com/2015/09/kaspersky-mo-unpackers-mo-problems.html
======
MichaelGG
So it's 2015 and they ship software with a trivial stack buffer overflow. They
don't even bother to turn on the "mitigation" options in the compiler (not
that it makes such mitigations less of a terrible set of hacks). Sounds fairly
incompetent. Also further validates the intelligence in creating things like
Rust.

~~~
pjmlp
> Also further validates the intelligence in creating things like Rust.

Yeah, but many of the Rust features are present in the branch of Algol derived
languages, namely Mesa, Modula-2, Modula-3, Oberon derivatives, Ada, Pascal
dialects....

Yet it was required decades of security exploits for developers start grasping
the major flaw it was to adopt C.

~~~
avian
> Yet it was required decades of security exploits for developers start
> grasping the major flaw it was to adopt C.

Can we please stop with the C bashing already? Each time there's a story about
a buffer overflow, the top comment says how that would be impossible in Go,
Rust, JavaScript or the next shiny thing.

First of all, hindsight is always perfect. I'm sure adopting C made sense at
the time. We didn't use to stroll down the street with a supercomputer in our
pockets you know.

And second, the constant stream of news about trivial SQL injections, cross-
site scripting vulnerabilities and other such things should make it plenty
obvious that you can write unsecure code in any language.

~~~
geofft
> And second, the constant stream of news about trivial SQL injections, cross-
> site scripting vulnerabilities and other such things should make it plenty
> obvious that you can write unsecure code in any language.

Find me an unintended trivial SQL injection or cross-site scripting
vulnerability in Rust. Or Elm or Ur/Web, if you prefer more web-oriented
languages.

All you have done is demonstrate that there are languages other than C that
one should not write in, either. But of course there are. You have not
demonstrated that _all_ languages have these problems _to the same extent_.

It is rather like arguing that since you can get concussions in football, and
you can _also_ get concussions in ice hockey, it doesn't really matter what
sport you play. While it is technically true that you can get concussions from
golf or cross-country running, it takes quite a bit of skill and (un)luck to
make it happen.

~~~
tedunangst
> Find me an unintended trivial SQL injection or cross-site scripting
> vulnerability in Rust.

Well, if there's no web support in rust, that's going to be kind of hard.
There's no SQL injection "in C" either. For that matter, there aren't any
buffer overflows in the C language.

Now, if you meant "in some rando web forum written in rust", I think you'll
need to wait a bit. Let's wait until there's a forum with more than a dozen
users, then I'll tell you how the developers fucked up.

------
pakled_engineer
How many other AV programs are extracting/manipulating files without a
sandbox? I bet most of them, can probably directly port this method and get
same results

~~~
ploxiln
The blog post links to previous analysis of vulnerabilities in Sophos and ESET
products.

"Many of the vulnerabilities described in this paper could have been severely
limited by correct security design, employing modern isolation and exploit
mitigation techniques. However, Sophos either disables or opts-out of most
major mitigation technologies, even disabling them for other software on the
host system."

"Unfortunately, analysis of ESET emulation reveals that is not the case and it
can be trivially compromised. This report discusses the development of a
remote root exploit for an ESET vulnerability and demonstrates how attackers
could compromise ESET users."

So, yes, definitely.

------
tmd83
What I'm not hearing is that what that really means. It's not just the buffer
overflow thing. It seems that most of these tools (he exploited 3 so far) are
disabling protection feature in the OS and are just blind to the risk parsing
generally presents and specially for a tool that runs with such privilege.

I wonder if he has failed to exploit any of the antivirus that he tried or it
was 3 for 3. What does it really mean, does using any antivirus at this point
puts you at even more risk to targeted attack specially if you are a sensible
user? What does that mean for corporate roll out of antivirus which I'm
guessing would be the most likely candidate of such targeted attacks.

------
nerdy
I wonder if this is at all related to the targeted attack Kaspersky suffered a
few months back?

[http://www.kaspersky.com/about/news/virus/2015/Duqu-is-
back](http://www.kaspersky.com/about/news/virus/2015/Duqu-is-back)

Maybe someone was exploring the possibility that these vulnerabilities are
features.

------
Roadgazer
The issues which are observed are the logical subsequence of becoming the big
company with talent of different qualification level : tons of code, junior
engs, lack of control.Google writes report on that, but bunch of Google code
itself is far from being ideal, despite of strict talent sort out and
interview.

------
SNvD7vEJ
So the Russian regime "infiltrated" (ordered) one of the most well known
Russian software companies, a famous security company nonetheless, to craft a
few back doors in one of the worlds most trusted security products.

Just another conspiracy theory, of course...

~~~
alvarosm
99% of conspiracy theories are false, unrealistic. Reality is worse then the
average Joe's wildest dreams. The backdoors are probably there, they're just
not the obvious exploits that exist out of incompetence and neglect and are
being exposed first.

~~~
plaguuuuuu
and 70% of statistics are made up...

------
gtirloni
What's the incentive for Google in doing this?

~~~
wmt
They fight back exploit peddlers like Zerodium or criminals who sell their
findings to the highest bidder. You know, PR. They're basically do a huge
service to their users and software companies by allowing the best exploit
finders to focus on some software and then responsibly disclose their findings
to the vendors, free of charge.

[http://googleonlinesecurity.blogspot.de/2014/07/announcing-p...](http://googleonlinesecurity.blogspot.de/2014/07/announcing-
project-zero.html)

The headline is kinda silly in the sense that if Project Zero focuses on any
software in the world, they'll most likely find exploitable vulnerabilities.
With Kaspersky the ridiculous thing is that they have stuff compiled without
/GS, which e.g. since VS2005 has required you to actively disable it, as it's
on by default.

~~~
fixermark
It's slightly more than PR... Google sees the trustworthiness of people's
interactions online as an existential necessity for the company. Things like
tradeable zero-day exploits are a risk to the entire business model of having
people search for things and conduct business on the Internet.

------
drzaiusapelord
Kaspersky is aligned with Putin's FSB:

[http://www.bloomberg.com/news/articles/2015-03-19/cybersecur...](http://www.bloomberg.com/news/articles/2015-03-19/cybersecurity-
kaspersky-has-close-ties-to-russian-spies)

[http://www.wired.com/2012/07/ff_kaspersky/](http://www.wired.com/2012/07/ff_kaspersky/)

You'd be a little crazy to run this outside of Russia. I suspect there are
more backdoors disguised as "vulnerabilities we knew nothing about, totally,
its news to us!" This reads like a trivial overflow which would have been
found with some basic testing. This is a common ploy with untrustworthy
software.

Maybe Kaspersky was safe to run once, but with Russia's new brazen anti-West
attitude, its a liability now.

~~~
at-fates-hands
I don't use their products and the place I used to work was a little surprised
when I pointed out his multiple connections to the current regime.

I also thought it was odd he always seemed to have no problem catching US
nation state malware, but all of those Russian state cyber weapons other
companies keep finding seem to allude him and his team.

Coincidence?

~~~
drzaiusapelord
I was reading about how Estonia and Ukraine were victims to all these client
side hacks from the Russian government which Kaspersky magically couldn't
detect. I think its pretty obvious they're in cahoots. I imagine these
governments are no longer running Kaspersky.

Brian Krebs also writes about popular malware that first does a check to see
if its being run on a computer in Russia. If so, it stops running. There's a
lot of government sponsored malware coming from Russia. There's a public
private partnership to put profitable malware on non-Russian computers and
Russian officials turn a blind eye due to corruption, bribes, etc. Its all
fairly ugly.

~~~
dogma1138
Every security vendor is aligned with it's "host" nation, that is how business
works. Not to mention that it's one of the only few sources for these types of
enterprises to recruit from in the first place. Most of the security software
coming out of Israel like Checkpoint goes even beyond that and it's actual
code that was written in the IDF and was released for commercial use. The NSA
also has a technology transfer program that enables commercialization of many
technologies which were invented or developed by the NSA, they also release
quite a abit of their TTP software as open source.

~~~
drzaiusapelord
I think you're certainly overstating the case here. We don't see US derived
malware being ignored by the USG. In fact, almost all high profile hacker
arrests stem from US investigations. US researchers are the ones who take out
Russian and Chinese botnet C&C servers. We see almost no action on the nation
states that profit from malware, namely Russia and China.

On a cyber weapons level, who knows, but citing things like TTP which releases
to FOSS or Israel's defense industry as a sign of corruption is asinine and
not remotely comparable to what is the status quo in Russia. Cyber weapons
will always be here and, when used correctly, can't be detected by signature
based AV because they have no idea what to look for and the exploits they use
are typically zero days. Stuxnet used, I believe, 3 or 4 different zero day
attacks.

Nor did you bother to read the Kaspersky articles where the proof is laid out
in a pretty obvious way. I think its foolish to knee-jerk to "Oh Russia does
this, so must everyone else." Certainly there are degrees of corruption, and
Russia is on the extreme end of this scale. Brian Krebs and Tavis Ormandy
aren't on some NSA payroll to make Russia look bad. Russians do that for free.
Lets stop playing the "every government is the same" card. Its been
historically untrue.

>Every security vendor is aligned with it's "host" nation

Also, I really doubt the guys writing rules for Snort, ClamAV, or mod_security
or OSSEC are aligned with anyone. Your view is incredibly cynical and very
much an example of the disingenious tactic of "whataboutism" Russians use to
defend their wrongdoings. Those rules are public, pray tell, which ones are
NSA backdoors? I suggest you come up with some proof if you're making such
accusations. The articles I linked to about Kasperky are significant and well-
researched.

edit: I cant reply below so I'll type it here. Clinton-era crypto limitations
are a non-issue. Clinton lost the crypto wars after the Clipper chip was never
passed or funded and after Phil Zimmerman wrote PGP and helped end crypto
restrictions. I'm talking about things happening right now. 20+ years ago
whining is not helping nor relevant. Use whatever crypto you like.

~~~
makomk
We do see US government malware being ignored by US security firms. Why do you
think it's always Kasperskey and other non-US companies that report stuff like
Duqu?

~~~
dogma1138
I wouldn't go as far as claiming that US agencies are putting gag orders on
such investigations.

Symantec did a very extensive study on Stuxnet they were the ones that
confirmed that it was intended to damage the centrifuges by fooling the
industrial motor controllers.

What is more likely is that a national intelligence organization will use the
local security vendors for counter intelligence purposes i.e. tipping them to
suspected cyber intelligence operations that they've identified through other
means.

This is a much more likely scenario than simply telling them not to talk about
certain malware, it's easier to enforce and it provides them with both
deniability and a more favorable outcome.

Geopolitics also play an important role here, different vendors have different
market share in different regions. Kaspersky for example is more common in
lower income countries, as well as countries that are under direct US
sanctions like Syria or Iran, or countries to which US companies will have
hard time exporting too or developing their market due to past relations.

So when you have a virus that infects many machines in Iran or Syria it's if
any of the computers will be running fully licensed and supported commercial
anti-virus software it wont be Symantec or McAfee that they'll be running but
rather Kaspersky or any other non-US/Western software.

------
MisterWebz
They've been gunning for Kaspersky ever since Kaspersky released information
about state-sponsored malware.

~~~
drzaiusapelord
Who is "they?" Tavis Ormandy is a respected security researcher who often
makes the news. Hell, not too long ago he found exploits in Sophos and
Symantec products. He likes to target AV. Sophos, a UK product, was
embarrassed internationally by the exploits he found. He is not playing any
favors here. We need more people like him. AV has gotten a free pass for far
too long.

If you're attacking Ormandy's character, I'd appreciate some proof over the
usual conspirtard stuff that often gets upvoted uncritically on sites like
reddit and HN. As far as I can tell, he is certainly one of the good guys and
we are lucky to have him in such a high profile position at Google.

>Kaspersky released information about state-sponsored malware.

Kaspersky acutally is the dirtiest of the bunch with ties to Russian KGB/FSB.
I suggest you rethink who your heroes are.

[http://www.bloomberg.com/news/articles/2015-03-19/cybersecur...](http://www.bloomberg.com/news/articles/2015-03-19/cybersecurity-
kaspersky-has-close-ties-to-russian-spies)

[http://www.wired.com/2012/07/ff_kaspersky/](http://www.wired.com/2012/07/ff_kaspersky/)

~~~
strictnein
Kaspersky is smart. He enjoys breathing and wants to avoid radioactive tea.

~~~
btilly
I'm guessing most people will miss the reference to
[https://en.wikipedia.org/wiki/Poisoning_of_Alexander_Litvine...](https://en.wikipedia.org/wiki/Poisoning_of_Alexander_Litvinenko)
so I'll just add a link.

