
Avast: a Chromium fork with critical security checks removed - andygambles
https://code.google.com/p/google-security-research/issues/detail?id=679
======
AdmiralAsshat
You ever noticed that these "secure" forks of browsers put out by antivirus
companies are usually security trainwrecks?

cf: "Chromodo" and the vulnerabilities disclosed by this same researcher[0]

[0] [https://code.google.com/p/google-security-
research/issues/de...](https://code.google.com/p/google-security-
research/issues/detail?id=704)

EDIT: And let's not forget TrendMicro's recent blunder with the enabled-by-
default HTTP server for "Password Manager" that is installed as part of their
antivirus program.[1]

[1] [https://code.google.com/p/google-security-
research/issues/de...](https://code.google.com/p/google-security-
research/issues/detail?id=693)

~~~
mrweasel
Which makes you wonder about the quality of the products they develop 100% in-
house.

In the case of the browsers, it "only" the bits they tampered with that's more
insecure. For their own stuff, anti-virus, firewall and what not, they've
"tampered" with the entire code base.

~~~
jpgvm
In my experience non-OSS security software is not worth having. There are some
exceptions but they are exactly that, exceptions. More often then not by
installing this garbage you are putting yourself in a worse position than not
having it at all.

~~~
georgemcbay
The (closed-source) security software Microsoft ships with modern Windows is
quite good. I don't think OSS/non-OSS is the real dividing line, but rather
motivation of the vendor is.

In the case of Microsoft, their motivation is to make Windows work better, in
the case of OSS the motivation is often to scratch personal itches, both of
these motivations trend towards positive results.

In the case of 3rd party security software vendors, their motivation is
usually to upsell you from whatever version you are using to a higher level of
"security", so it is in their best interest to go nuts with false positive
reports (eg. finding some browser cookies in a scan, posting up such severe
looking warnings that you'd think your system is rooted), bog your system
down, etc.

~~~
fphhotchips
What gives you the impression that Windows Defender is any good? It hasn't had
a consistently decent detection rate since 2012.

(See:
[https://www.reddit.com/r/YouShouldKnow/comments/40zh69/ysk_t...](https://www.reddit.com/r/YouShouldKnow/comments/40zh69/ysk_that_microsoft_security_essentialswindows/)
[https://www.av-test.org/en/antivirus/home-windows/](https://www.av-
test.org/en/antivirus/home-windows/))

------
roddux
I advise my techie and non-techie friends alike not to bother with antivirus,
but rather to ensure that their files are backed up and their software is up
to date.

Those are the most important parts, assuming the user is above the level of
downloading and executing malware by themselves.

~~~
RIMR
I would recommend using a business-class antivirus rather than the consumer
editions. Also, don't use their browser plugins if offered.

At least that protects you from theft. I can keep all my files backed up, but
that doesn't protect the data in them from being compromised.

If anything, you need to start recommending encryption to your friends if they
aren't going to use an Antivirus.

~~~
busterarm
I used to work for an antivirus vendor and I would not recommend this.

The antivirus engine is the same and the only differences are how it's
packaged. They're still shoveling obtrusive, crap software onto your system,
just being less obvious about it.

The only reason to have Symantec Corporate Edition Antivirus installed on your
system is because your company signed a deal to use Cisco VPN & Endpoint
Protection and you're literally forced to use it.

What mostly everyone fails to understand is that antivirus software is not
effective as a _preventative_ measure. What they are good at is detecting that
you're already infected, but they all have terrible rates of false-positives.
Nothing out there is much effective at protecting you from 0-day, despite
industry claims to the contrary.

User training/habit modification is the only effective measure at preventing
infection (besides being behind a default-deny firewall, but that's not
something consumers will do). 99.9999% of infections require user interaction
(and the ones that don't require it become instant international news).
Adblockers get you most of the way there and do a better job at prevention
than antivirus software.

Flaws in AV software have been exploited by rootkits before. AV software is
just another point of failure.

~~~
chris_wot
No, they aren't good at finding malware installed. I installed Norton on my
mother's friend's computer and it found 4 bits of malware. I later installed
Malwarebytes and it picked up something like 45 different malware programs! I
was surprised so I verified about 12 of them before I realise they were pretty
accurate and let it remove them from her system.

That's a _very_ poor detection rate. I mean, I can confirm that at least 12
nasty malware programs weren't detected by a very widely used AV suite!

~~~
busterarm
Many programs, especially "antimalware"-class programs and __especially__ MBAM
serve up false positives as valid hits. MBAM serves up common (and innocuous)
tracking cookies as malware hits. Nearly everything that MBAM labels as a
'PUP', Potentially Unwanted Program, is bogus. Also, it will serve up data
files (metadata, saved data) files from an infection as the infection itself.

Its user interface deliberately does not give its users the proper context to
evaluate the severity of a problem. The change came after they made a
concerted effort to monetize the app.

MBAM is good at a lot of things (it has traditionally been on top of modern
registry hooks and ransomware loaders where other vendors consistently drop
the ball) but just because you saw 45 things flagged red doesn't mean you had
45 bits of hostile executable code on your system.

Malware infections aren't a singular entity anymore, they are a stew of items
working together to maintain control of your system (exploit, loader, payload
[usually a rootkit], defense, c&c). It's often a matter of breaking the chain
of processes to 'open up the onion' and regain control of your system.

~~~
chris_wot
Yeah, I know. But I definitely counted at least 12 seperate and rather nasty
Browser Object based malware programs. Which is a lot better than Norton and
Trend Micro, who didn't pick them up at all!

------
sarciszewski
[http://www.sevagas.com/IMG/pdf/BypassAVDynamics.pdf](http://www.sevagas.com/IMG/pdf/BypassAVDynamics.pdf)

Anti-Virus is little more than snake oil. If you need to secure a Windows box,
get EMET and read [http://decentsecurity.com](http://decentsecurity.com) and
you'll eliminate most of your attack surface.

    
    
        Everyone can be secure.
        
        It is with those four words this website is founded. Computer, smartphone, 
        and online security does not require a degree or years of experience. All 
        it requires is someone show you the way.
        
        You've been sold a lie. You can't buy computer security. It is something 
        obtained through configuration and knowledge. Tragically, these aren't even 
        hard to do or obscure to learn. But no one makes money telling you how to 
        use what you already have. What you need is someone who doesn't care about
        your money or looking smart by spouting off fancy words of no consequence -
        just that you not be a victim.
        
        It pains me to see people who distrust and fear their computers, and who 
        feel powerless in that fear. Because that's not what I see when I look at 
        computers and phones and websites. I see tools I trust with the story of my
        life, and the secrets I leave out when I tell that story to others. Everyone
        should be able to feel like that.
        
        This site does not sell anything. This site does not take donations. This 
        site has no one's name on it.
        This site is to fix what is broken. Which is how we teach security.
    

If you were wondering because it looked familiar, it's run by the same person
behind @SwiftOnSecurity.

~~~
sanderjd
> You can't buy computer security. It is something obtained through
> configuration and knowledge.

Tragically, I believe this is true. But it isn't a great and noble thing that
people must gain knowledge to overcome their powerless fear of computer
technology, it is a failure of technology creators to provide people with
simple tools that they can use without fear.

The problem isn't how we teach security, because hardly anybody should have to
learn security in the first place. That the mainstream public is even aware of
a concern called "security" having to do with their computing tools is already
a failure. I can't think of any other mainstream products that people have to
be so careful with, where they are told it is _their_ fault that they just
haven't gained the expertise necessary to use it without problems.

~~~
sarciszewski
I (and many others far more impressive than myself) am trying to solve this
problem at a fundamental level: Give the developers tools that are secure-by-
default (i.e. libsodium not mcrypt) and teach better development habits. Make
it easier to do the secure thing than the insecure thing.

It might take years, but I believe these initiatives will trickle up and make
the software everyone uses more secure at a base, so it will require less
cognitive load from the end users to communicate safely with each other.

That's the idea, anyway. Time will tell if we can succeed.

~~~
greggman
Wouldn't you be better off solving it by sandboxing? Basically don't allow
programs to do bad things in the first place rather than try and get all
programmers to be perfect. Basically the web (and/or some phone OSes).

~~~
sarciszewski
Sandboxing is good for stopping memory corruption and privilege escalation
bugs. It's not very useful for problems affecting cryptography implementation
flaws, logic errors, out-of-date software, etc.

Those problems are better solved by giving developers better tools and
frameworks that solve these problems for them, that are simple to use and
don't introduce massive security foot-cannons.

(This comment is a minor spoiler to my current project, I suppose.)

------
willvarfar
Why does anyone use any third-party anti-virus programs these days? Why not
just use the Microsoft ones that are free?

~~~
temp
_> Why not just use the Microsoft ones that are free? reply_

For one thing, last time I checked benchmarks they showed that Microsoft's
anti-virus not only has worse detection results but also worse performance
than some of the free alternatives.

~~~
infogulch
I am very interested in seeing these benchmarks, as my anecdotal experience is
the complete opposite.

~~~
karyon
On my two machines (with SSDs) I regularly find that copying lots of small
files is severely slowed down by Windows Defender. It utilizes one core to the
max and when disabling it, the copy operation gets a lot faster.

I don't know about other antivirus software though.

~~~
ferongr
I can mirror this experience too. Properly working Intel SSD fwiw. Mine
impacts not only file copys but also all small file I/O like listing
directories (explorer would hang for 1 second entering a new directory) and
the like.

~~~
versteegen
I've had a couple users complain that my program started running really slowly
while they were using Microsoft Security Essentials. It turns out that if a
file contains a "suspicious" pattern of bytes (which in these two cases were
two different user-drawn bitmaps), SE will do some time consuming heuristics
every time you open the file. So opening, reading, closing a file 10 times in
a row is really bad.

------
helper
Tavis is beast when comes to finding these exploits. Its always fun reading
his write ups.

~~~
komaromy
I get more excitement from seeing his avatar in my Twitter timeline than any
other.

------
jhspaybar
Aren't these sorts of zero days worth a LOT of money? He didn't go all the way
to RCE, but he probably could have gotten there. It makes you wonder how many
people are out there with Tavis' skills who just farm these things and sell
them to the highest bidder instead of making us safer.

~~~
sarciszewski
Fortunately there aren't many with Tavis's skills, but you don't need to be
that legendary to find these sort of vulnerabilities.

Assuming you can identify (skill) and safely sell (anonymity expertise and
market savvy) a zero day, the demand for them is quite limited. (The only
reason the price is so high is that the supply is just even lower.)

Additionally, if you have the market savvy to extract the maximum value for a
0day, you will quickly realize the feast-or-famine nature of unsavory income
isn't great for a stable home life. You might eventually want a day job, and
you can't exactly say "Oh, I helped that virus penetrate your network three
years ago that you just detected last month."

So most people with Tavis's skill levels typically aren't in a hurry to go
rogue.

And the ones that do are more interested in compromising bitcoin exchanges and
drug marketplaces on Tor Hidden Services than they are in spreading malware to
end users. (That's the advertising industry's shtick.)

------
ambrop7
My machine is running CUPS on 127.0.0.1:631 (the local HTTP interface). Does
this mean any web site can print with my printer?

~~~
mey
Potentially depending on how it is secured (if it is), but it warrants further
investigation.

------
smcnally
Interesting posts from Avast explaining how they supply data to their
marketing analytics product from their AntiVirus products:

[https://forum.avast.com/index.php?topic=171725.0](https://forum.avast.com/index.php?topic=171725.0)
[https://blog.avast.com/2015/05/29/avast-data-drives-new-
anal...](https://blog.avast.com/2015/05/29/avast-data-drives-new-analytics-
engine/)

------
ep103
Aw, I got all excited that someone had actually made a Chromium fork with
basic things, like JS's script security context completely ripped out. No
HTTPs validity checking, etc.

