
How to Compromise the Enterprise Endpoint - nnx
https://googleprojectzero.blogspot.com/2016/06/how-to-compromise-enterprise-endpoint.html
======
cypherpunks01
"Because Symantec uses a filter driver to intercept all system I/O, just
emailing a file to a victim or sending them a link to an exploit is enough to
trigger it - the victim does not need to open the file or interact with it in
anyway."

That seems big. Is there any precedent on AV software vulnerabilities of this
scope?

~~~
zabuni
Worse than that. Apparently,Tavis emailed the exploit to Symantec in a
password protected zip file. He included the password in the body of the
email. The email server, running Symantec, grabbed the password out of the
email, decrypted the zip file, and upon reading the exploit code, crashed
itself.

~~~
cypherpunks01
I very much started reading your post as a comedic sci-fi ending to the
story.. but now I am actually not sure. It would be quite creative to think of
that scenario! Did this happen?

~~~
pfg
I'm afraid this did actually happen[1].

[1]: [https://bugs.chromium.org/p/project-
zero/issues/detail?id=82...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=820#c1)

~~~
amenod
I do not see any indication in the link you posted. Am I missing something?

~~~
pfg
> I think Symantec's mail server guessed the password "infected" and crashed
> (this password is commonly used among antivirus vendors to exchange
> samples), because they asked if they had missed a report I sent.

------
verelo
So, what do people run on their servers / macbooks for AV? Anything?

I was in a meeting just last week with our new "head of Security" who
exclaimed when i stated our Macbooks nor or Ubuntu severs run any AV software
(We run firewalls and things like fail-2-ban, but no traditional AV).

I know i'm going to get into a debate with them over this, so, what would be a
good 'win-win' type position for me to fall back on to satisfy this point and
not clutter my machines up with junk, if there is such a thing?

~~~
pfg
The first tool I run on new Macs is osxlockdown[1] (use [2] if you want a UI).
It disables a bunch of features and enables things like the firewall. Make
sure you don't disable things you're actually using, though. I don't run any
AV, but I use OpenDNS Umbrella, a DNS-level malware blocking service with the
capability to switch to "active" traffic filtering (basically a MitM proxy,
though that part is completely optional). It's a neat tool with a nice
dashboard, and the pricing is okay with $20/year.

OSSEC is a great tool for servers, but not the kind of "Let's just throw some
AV at it so we can tick that compliance box" tool many are looking for.

[1]:
[https://github.com/SummitRoute/osxlockdown](https://github.com/SummitRoute/osxlockdown)

[2]: [https://objective-see.com/products/lockdown.html](https://objective-
see.com/products/lockdown.html)

~~~
voltagex_
>[PASSED] Disable IPv6

I'd like to see the rationale behind disabling IPv6 outright.

Edit:
[https://github.com/SummitRoute/osxlockdown/issues/4](https://github.com/SummitRoute/osxlockdown/issues/4)

------
walrus01
From the perspective of a person who thankfully no longer has to support any
Windows based platforms:

"Symantec considered harmful"

full stop.

Let's not forget this: [http://arstechnica.com/security/2015/10/still-fuming-
over-ht...](http://arstechnica.com/security/2015/10/still-fuming-over-https-
mishap-google-gives-symantec-an-offer-it-cant-refuse/)

Symantec should have suffered the CA "death penalty" and had its trust removed
from the browsers that hold most of the global market share.

~~~
DavidSJ
What if there were a middle ground between browsers trusting and rejecting a
CA? What if there were a yellow "proceed with caution" warning on sites using
certificates issued by CAs that have very occasionally behaved improperly?

~~~
pfg
If this gets implemented in a way that's clearly visible to the user, the
effects on the CA are almost indistinguishable from the death sentence. The
vast majority of customers would switch to some competitor that's not
affected. Even a handful of saved customer support cases due to this warning
is going to make up for the cost of switching. Most importantly, if users are
confronted with warnings all the time, they become increasingly oblivious to
them and might very well click through more important warnings down the line.

------
e40
It's hard for me to believe that anyone uses this crap software. A few years
ago I spent hours uninstalling it for a friend. It has slowed his laptop to a
crawl and he was about to buy a new one. After the uninstall, it was snappy
enough to use for a few more years. Really, that software is some of the worst
I've ever witnessed, and I've seen some shit.

~~~
dvhh
Before windows 10, windows antivirus were the best advertising for Apple
computers

~~~
nnx
What has Windows 10 changed on this front?

~~~
sjg007
Presumably now Windows 10 is the best advertisement for Apple

------
tdullien
A note for everybody asking "why on earth does anybody run this software":
When my company had to get corporate liability insurance in 2007/2008, the
actual insurance contract stipulated "having AV installed on all machines". We
did solve it by having an unused folder with ClamAV on every box, but I was
impressed by the fact that AV is pretty much legally mandated for enterprises.

~~~
Mango_Diesel
This is very common in boilerplate enterprise contracts. They will often have
provisions about compliance with certain security and disaster recovery
standards.

------
paradite
I always wonder why, despite all these flaws and vulnerabilities, big
enterprises still use them.

Is there some kind of "compliance" or "regulation" that mandates companies to
install them on every workstation?

~~~
nol13
Well would you want to be the guy (or gal) responsible for explaining why all
your computers don't have A/V installed after an infection?

~~~
paradite
I would make that argument a few years back when 3rd party A/V is the only
choice. But now you have the built-in Windows Defender, which is a valid A/V,
why not upgrade your OS and get it for free?

~~~
reitanqild
Some endpoint vpn solutions scans the pc to try to make sure it is secure.
Some of these might not recognise or accept all antivirus solutions.

(Source: doing remote support)

------
tmandry
A bug in their software would be forgivable. This article pointed out both an
extremely poor design decision (lots of unnecessary code in the kernel) as
well as a serious organizational problem (not doing vulnerability management).
These are especially bad considering that they supposed to be a security
company.

In both cases, one bad example means it's likely there are many more still
undiscovered.

------
yuhong
Win32k before Win10 used to do TrueType/Type 1 parsing in the kernel, with an
entire bytecode virtual machine!

~~~
fdsaaf
So what? Linux, today, has a full bytecode interpreter

~~~
internals
Bigger attack surface in the kernel, for something that doesn't need to be
there, and that is historically very difficult to code securely.

------
jacquesm
Anti virus is like a compromised immune system: it joins the other side and
will help to kill the host in short order. It's a miracle these companies are
still in business and it is very sad to see Peter Norton's name dragged
through the mud like this over and over again.

------
wallflower
Many years ago, installing Malwarebytes Anti-Malware dramatically reduced the
amount of on-site technical support calls for my well-meaning but too trusting
("I just clicked on it") parents. This was before I was able, with the help of
my brother-in-law, to convert them to Apple/Mac.

Is Malwarebytes Anti-Malware still the gold standard for Windows Malware
protection? What is the gold standard for Windows virus protection now?

~~~
Afforess
The gold standard is now Apple MacOs or Linux. I've converted my parents over
to Apple systems and no longer have to do any support for them, Apple products
"just work". Worth the premium in saved support, in my book.

I use Ubuntu as my main OS, personally.

~~~
yuhong
To be honest, Mac OS X do have things like Gatekeeper.

~~~
shortstuffsushi
Do you mean MacKeeper? GateKeeper is Apple's software that prevents you from
installing non-verifed apps, MacKeeper is (from what I can tell, haven't
installed it or looked at the site) spamware.

------
ngneer
IMHO, the security industry has been guilty of adding complexity to existing
systems rather than doing its duty of stripping it away.

~~~
kbenson
I'm not really sure I consider McAfee, Norton and the like the security
industry. They're definitely a _part_ of it, but in the same way car
dealerships are part of the auto industry. They provide a service, but there's
a real debate to be had about whether they are more beneficial or harmful.

~~~
ngneer
Fair point, though at times it seems that the markets and regulators in this
space tend to favor turnkey products, appliances, et cetera. To ride on your
car analogy (pun intended), one finds it is not easy buying directly from a
manufacturer, the heavy bias is towards the dealerships.

------
electic
The software you buy to keep you safe actually exposes you to more risk than
if you didn't buy it. How ironic.

~~~
wmt
How much more? I always imagined that it's more likely for a standard user to
open every email attachment and execute it than it is to get targeted by a
malicious attacker who knows what software your users are running and writes
exploits tailored for them, but I could be wrong.

~~~
djrogers
No tailoring required with something like this since it's worm-ready; blast
out a ton of emails to seed the worm, then post exploit the worm emails itself
to everyone in your address book. It won't take too long before a significant
portion of the vulnerable systems win the world are infected.

See Blaster, Slammer, CodeRed for historical examples....

------
sverige
Isn't Norton antivirus itself malware? And McAfee too, for that matter? I
finally convinced my mom and my wife to stop downloading it everytime they
update Adobe Flash. (Yes, they still do that. On Windows of course. Sigh. One
thing at a time.)

~~~
yuhong
At least it is only McAfee Security Scan which don't seem to have the kernel
stuff.

~~~
rincebrain
I thought even Security Scan had the {network, FS} filter drivers?

------
shortstuffsushi
Here's a question I have every time I see "RCE" type issues, and I'm
completely serious when I ask: what is the use case for allowing remote
execution in your software? Why would you want to allow arbitrary code to be
executed? Or am I perhaps misunderstanding this, is it some sort of break out
of the program bounds which allows execution?

~~~
Buge
It's a vulnerability. No one wants it (except attackers).

Of course there are some situations that some people actually do want
(controlled) remote code execution, such as ssh.

------
a_c
What are the reasons one would want to use an antivirus? Can someone share
some insight on how does antivirus actually work?

~~~
quantumhobbit
Traditionally they scan files, either in a batch job or on the fly, to see if
the file matches a signature, basically a hash, of known viruses. This worked
when there were only a couple thousands viruses in the wild. Now this approach
is pointless because there are so many viruses, odds of the antivirus having
seen it before are effectively zero. Not to mention countermeasures virus
writers take make this even harder.

~~~
iancarroll
Signatures are definitely not hashes. They usually match families of malware
or methods of obfuscation. Nor do any respectable AVs scan after something has
started running...

AVs usually upload suspicious files from user PCs for further analysis to help
aid in discovering new variants/types. The odds your AV has seen it is
proportional to the odds of you running into it.

The industry is moving away from signatures regardless. Now AVs use runtime
heuristics to spot bad behavior of executables and block them even if they've
never been seen; Cylance literally only does this and it's pretty effective.

~~~
newjersey
Sounds like the same old snake oil to me.

> if being “part of a community” means we need to share our algorithmic,
> unique conviction engine with Big AV so they can steal our convictions, then
> yes we will not be able to meet that criteria.

I have no love for Symantec but this new breed of security software can go
screw itself for all I'm concerned.

------
NetTechM
Quite a few major enterprises use SEP/SEPM in combination with other IPS/IDS.
Time to make sure everything is updated I suppose. Good work project zero.

------
beedogs
I've been saying this for years, but when are people going to realize that
running Norton on your PC is actually worse than not running AV software at
all?

------
Jedd
In the fast-moving world of IT security it's refreshing to see that Symantec's
web site makes no mention of these profoundly important vulnerabilities on
their landing page

They don't seem to have any Status / Current Alerts style pages -- but on
their somewhat hard to find blog page we find the most recent update from the
guys is from two days ago:

"Malicious app found on Google Play, steals Viber photos and videos"

[http://www.symantec.com/connect/symantec-blogs/symantec-
secu...](http://www.symantec.com/connect/symantec-blogs/symantec-security-
response)

EDIT: Oh, they have a Vulnerabilities page -
[https://www.symantec.com/security_response/landing/vulnerabi...](https://www.symantec.com/security_response/landing/vulnerabilities.jsp)
\- with the most recent entries listed as 13 days ago (blimey that US
mm/dd/yyyy date format is uncomfortable).

~~~
Jedd
Symantec have described some vulnerabilities that sound like these ones, dated
2016-06-28 (no time) here:

[https://www.symantec.com/security_response/securityupdates/d...](https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_01)

Detailed description and credits sections don't seem to be in complete
alignment with details of OP, but I may be misreading.

~~~
RachelF
I don't think that they have much to do with the OP. The OP's post is easy to
understand, Symantec's seems to be corporate double-speak.

The more important question is what should Symantec/Norton users do to prevent
being exploited right now?

------
FuturePromise
Windows 10 has a built-in antivirus that's very effective, safe, and doesn't
impact system usability. There's little reason for anyone on Windows 10 to run
Symantec/Norton.

~~~
snarfy
> and doesn't impact system usability.

I have to disagree with this statement. It's kind of a resource pig, actually.
When it got to the point it was affecting my day-to-day productivity, I
deleted MsMpEng.exe from my hard drive, and now my machine is snappy and
responsive again.

~~~
nix0n
I used to have this problem, but then I configured it to run scans overnight.

------
Kenji
I am not surprised in the least. Norton Antivirus is one of the worst of its
kind. I've used it for many years. Every single virus/trojan/adware infection
I got went straight through Norton Antivirus without it doing _anything_. Back
as a kid I opened a lot of downloaded executables, like games, and some of
them were infected. Later, I got more cautious with executables but got rid of
all antivirus software - best software decision ever. My computers have never
been faster.

------
Figs
> googleprojectzero.blogspot.my

Why is this linked to on a .my domain? Is this an official mirror, or is there
something sketchy going on here?

~~~
pfg
Blogspot, for reasons that defy logic, redirects visitors to "localized"
domains (I assume via Geo-IP). OP is probably from Malaysia.

Not only is it incredibly annoying and breaks things like URL deduplication,
it also leaks your origin when you share links. What a great feature!

~~~
tushar-r
>Blogspot, for reasons that defy logic, redirects visitors to "localized"
domains (I assume via Geo-IP). OP is probably from Malaysia.

Because a whole bunch of countries keep wanting to block stuff. So:

[https://support.google.com/blogger/answer/2402711?hl=en](https://support.google.com/blogger/answer/2402711?hl=en)

If we receive a request to remove content that violates local law, that
content may no longer be available to readers on local domains where those
laws apply. Note: Country-specific domains is not a different blog address,
but a domain redirect based on the country where you're currently located.

~~~
pfg
I'm having difficulties understanding this. If Google receives a request to
remove content from some specific country, I would assume they are doing this
based on Geo-IP rather than based on the domain users enter. It wouldn't
really make sense otherwise, as the link to the blocked content would not
necessarily need to use the localized domain, so this would be ineffective. It
seems like an unimportant implementation detail - one that seems to do more
harm than good.

~~~
lmm
It means countries that want to block certain content can block all the other
blogspot.* domains. i.e. blogspot.us is a site that they promise will only
ever contain content that's legal in the US, so any country-level firewall in
the US should leave that site unblocked, and so on.

~~~
pfg
That still seems like an odd trade-off. The same logic should apply to things
like YouTube and Google+, but they don't have a ccTLD redirect for those
sites.

~~~
lmm
Blogspot is older (and/or maybe put more thought into it early on - a blogging
platform is naturally a speech medium whereas YouTube may not have thought of
itself in the same terms), country-level firewalls are a lot more
sophisticated these days.

