It has already taught us a few lessons, and the one I have chosen to stress in this talk is the following. We shall do a much better programming job, provided that we approach the task with a full appreciation of its tremendous difficulty, provided that we stick to modest and elegant programming languages, provided that we respect the intrinsic limitations of the human mind and approach the task as Very Humble Programmers.
It seems to use 7-Zip and/or p7zip binaries.
I'm not sure what other FOSS alternative to use. BandiZip is free (as in beer) but doesn't seem to have an update since Sept, so if it uses p7zip under the hood for 7z, it's also vulnerable.
These are just reasonable (or even necessary) techniques to ensure the security of the product you're shipping. We ought to know better.
This attitude is much of the reason why software security is as bad as it is today. I'll take a little "bloat" over ZIP files being able to install ransomware (and security vs. performance doesn't have to be a tradeoff anyway).
It's the security equivalent of washing one's hands after using the toilet...
It's totally irresponsible.
At least I would assume it is. There are lots of white-hat reports, so...
The fact that 7-zip bugs are rare enough that they make news when they are discovered already says a lot about the overall quality of the code. Many other projects with all the bloaty mitigations and other ostensibly "for security" cruft still manage to create severe bugs on a regular basis.
"If you want more effective programmers, you will discover that they should not waste their time debugging, they should not introduce the bugs to start with."
The way its written, I first took the mention of finding this "during the analysis of a prominent antivirus product" to mean that you were reverse engineering some AV thing and found that it was scanning for this vulnerability (i.e., to protect against bad archives). After a second read, it seems like maybe not, and that the AV itself re-used parts of 7-zip for its own implementation and was therefore vulnerable itself. Still not sure, though.
The way the stylesheet makes the "rendered" form (especially section headings) resemble markdown source is pretty neat.
I admit that this is confusing, so I'll probably try to rephrase this.
Honestly, if they can't even stop viruses from infiltrating closed systems like Android and iOS, I don't see how an anti-virus suite could ever win the battle against a user intentionally installing a virus.
(Of course, desktop apps are a different ballpark than web apps/websites where you're merely connecting to a website vs installing a dedicated application with filesystem access.)
Additionally, I see the entire AV market as a leech that was only able to grow as it had because Microsoft was able to shirk its responsibilities with respect to security for so long. Now that Microsoft are trying to handle the problem the AV companies are crying foul because they think they deserve the right to exist, which means Microsoft shouldn't do too much to help their own customers.
AV companies are the car dealerships of the digital realm. Superficial middlemen ensconced in a bygone era leeching money from the unwary. We should be careful, lest we legally formalize that relationship as we have with the dealerships.
Besides, with the behavior of most free Antivirus I could not really distinguish from common spyware. Everything needs to call home these days ...
So when friends ask me if this computer is now virus/spyware free .. they are usually a bit disappointed when I tell them, probably not, even if we delete everything and remove windows (but it would help).
But most people, including me, need windows from time to time, so it's allways a compromise. But common (free) Antivirus is really just snake oil.
I certainly would say that most of the free anti-virus is pushy, hungry and generally not a particularly great marketing exercise.
Oh and my experience with most of their logs is, that they log and alert allmost everything - even when it is trivial as a tracking cookie - but make it look like a real threat to the ordinary user to show what good work they are doing. And especially on older computer really slow things down.
So I cannot recommend them and rather stress the importance of updates and not mindlessly install/click random things. (but with updates allmost everything important does that automatically now anyway)
Infection attempts by what? Scans of phishing mail attachments they wouldn't have opened anyway? At least if they know what they are doing. In addition, many AV have this annoying habit of reporting quite a bit of false-positives based on sys-calls or some weird heuristics, this leads to the situation where even totally legit software, from a trusted source, triggers a warning.
Which then conditions people to just click past the warning, at that point you might as well not even run the AV at all and instead just scan individual files online through some virustotal-like service and teach proper user behavior.
Due to this dynamic installing a good ad-blocker will probably do more for the security of the average windows user than any AV software ever would.
anectode: a girl in my student flat wanted to give me some file and copied it to her usb-stick. But as she plugged her stick in, a antivirus warning popped up and said very clearly INFECTION DETECTED.
But she just clicked it away and said it does that all the time since weeks ...
And she was a student (for high school teacher), so supposed to be not stupid. But in this case the antivirus was actually one of the better once which mostly only said something if there was something. But to her it had the same meaning as "update me please". Not something to be bothered with her now, as her task was to copy something to the USB stick ...
So yes, definitely also bad conditioned, but also plain stupid. Or overburdened.
So for those people, antivirus (wheter from the os or third party) which really blocks stupid things and scans everything, make sense.
And there are a lot of those people ... in my example it was someone who grew up with computers, but there are still many around who had to learn it much later in life. And they just click onto everything.
These are not false positives. They were not legitimate software from trusted sources. The logs I read were real-world true positives and they were not inconsequential trivia like tracking cookies or the like.
I don't think that in any of the cases the user would have had a warning to blindly click through.
Not entirely sure how an advert blocker can stop email or device-carrying malware.
Infected email attachments, unless they come from a trusted sender, I consider "useless positives" because nobody, with the appropriate training, should be opening them in the first place.
Kinda along the same lines of tracking portscans and counting those as "thwarted cyber attacks", like many government agencies tend to boast about, it's nice for padding stats but is it a real security gain?
Afaik by now one of the most common successful attack vectors is drive-by kits , increasingly served trough advertisement channels. Ad-blockers/disabling Java minimize this risk quite a bit, with low overhead, while having the added comfort of making the web more user-friendly.
Which to me is the most sensible solution, unless one really likes opening weird email attachments and/or plugging in untrusted devices.
> I don't think that in any of the cases the user would have had a warning to blindly click through.
If the user is already careless enough to connect untrusted devices and/or opening random email attachments, then I have no trust in said user to heed any of the following warnings, as he/she already had to ignore previous best practice warnings to get there in the first place.
Don't blame the user, when we as computer scientists are too stupid to build secure systems. I expect from an computer system / software that I don't get infected if I plug in a USB stick or open a PDF file. The software devs of operatings systems and applications as well as hardware vendors are to blame. That's it.
How many users do you administer again?
I imagine that depending on the country you are operating in this might even be a requirement to prevent legal hassle, getting sued for "neglect" if not running AV software and something actually goes wrong but IANAL.
But let's also keep in mind that AV solutions can have the exact opposite effect of what they're supposed to do, from data leakage   to straight up remote code executions . Which isn't that surprising, considering that more complexity is usually a bad thing to add to any system, especially if it's as deep-rooted as most AV suits tend to be.
But yeah, reality is different ...
It catches all the common stuff with high accuracy and only some of the exotic stuff gets through (which would probably be a pass for most other scanners too)
Real security is proactive security (exploit mitigation, sandboxing, correct code, safe languages).
Reactive security kinda sucks. You have to patch known vulnerabilities, sure, but detecting exploits? Ugh. Eww. Do not like.
And indeed users mostly install malware these days, because self spreading (actual "viruses") is hard (we're not in the DOS/Win9x days anymore). So users should be proactive as in not clicking on TotallyNotMalware.exe :)
Instead, today, we see more companies invest in what's called "incident response". Part of a healthy incidence response program is signature detection - AV plays a role in this.
If you don't have good detection capabilities you're missing a huge portion of what makes an organization secure.
Relying on proactive users is also a recipe for disaster and not a realistic goal at all, nor should it be.
When it runs code to detect if it is a virus, you have to trust the sandboxing and frankly I've yet to see a sandbox that at some point hasn't been taken control of and exploited (this goes for web browsers too). So it's better to just not execute code than to trust the AV's VM to execute the code without being compromised.
I use programs on a whitelist basis and only update for security patches. This avoids issues like what happened with Transmission.
AV also detect have pitiful detection rates - something like <50% of exploits daily. It's "something" but once you're compromised you're compromised and using an AV just gives a false sense of security.
E: I imagine the downvotes are from my claims of pitiful detection rates or claims that AV is basically security fanfare. Don't take my word for it then.
Obviously this is an anti malware company PR (but please look at the MS Consumer (defender) failed detection rate). This made me research again the AV landscape and then I found this https://fatsecurity.com/tools/test-results-calculator?compan... A website that seems to aggregate a lot of AV independent tests in an easy to use UI.
MS Defender is not really good now. Even free AV are better and have lesser performance impact than Defender (but obviously come with ads, less privacy, etc.).
(I submitted recently the map to start a discussion about it but did not seem to interest anyone)
The original definition was a piece of code that would latch onto binaries, and be spread that way. And those had telltale signatures (a virus may have added a jump at the start of the binary to the end, where a copy of the virus code resided, and then jumping back to the beginning of the actual program code).
And i am not so sure there is much distinction between visiting a JS heavy site and running a program locally these days. After all, we are seeing the likes of Google exposing USB and Bluetooth via JS APIs now.
This statement does not at all pan out in my experience. It is very rare for me to come across broken applications or a faulty Windows installation because of anti-virus software.
Be a MSP with thousands or tens of thousands of different configurations, all the different antivirus software you can think of, and 20+ years of doing it and you'll see anti-virus break everything you can think of.
AV prevents windows from shutting down.
AV prevents windows from booting up.
AV prevents windows upgrades.
AV prevents windows updates.
AV causes blue screens.
AV quarantines critical windows system files.
AV blocks network resources unexpectedly.
AV cripples network performance.
AV breaks hardware drivers.
AV causes programs to unexpectedly close or crash.
Are just a common list I have to deal with.
I've certainly had problems with anti-virus programs, but no more than I have had with any program, operating system, driver or hardware problem really. Mostly they behave, sometimes they misbehave.
I've rarely seen anti-virus causing shutdown problems. Boot problems have almost always been faulty storage devices or operating system corruption. I've fixed more faulty WU instances that are broken because of Microsoft (recent Win7 authcab problem, IE cumulative years ago, etc). than because of anti-virus. The programs that I have come across that are crashing are rarely solved by removing anti-virus software.
If anti-virus was as widely and horrendously crap as some people keep repeating then I'd know about it because I'd be saying the same thing.
Anyone remember GStreamer being a Linux vulnerability because it had a 6502 CPU emulator to run... NES music files, and hackers managed to jump outside of the VM.
It makes me wonder how easy it is to break out of a particular anti-virus vendor's VM, in a vulnerability that wouldn't exist if you weren't even running AV (outside Defender) at all.
As far as I see it's just section headers, but I agree the stylesheet is very nice. The section header prefix (###) could be an anchor to the section though (<a href="#section">).
Performing the tests on packing the actual 7-Zip source code (as shipped without extras) would be a valid reference suite.
Stack canaries might cause a slight performance hit, but it is usually below one percent, since it creates only a small cost per function call for a fraction of all functions.
2017-12-29 - Discovery
2017-12-29 - Report
2017-12-29 - MITRE assigned CVE-2017-17969
2018-01-10 - Patched version 7-Zip 18.00 released
18.00 is marked as "beta" in the official website, and 16.04 is still at the top of the list. An average person trying to download 7-Zip right now will most likely choose the vulnerable version.
Beta versions of 7-Zip frequently stay in that status for months, if not years. Between 9.20 and 15.12, 7-Zip produced nothing but beta versions for 5 years. I understand the project moves slowly, but this is not a release model that facilitates quick dissemination of important security patches.
That's not all that surprising. The software was 10 years old when v9 came out and the major version number is just the year of release. There aren't 5 major releases that never got out of beta. The major version numbers in 7-Zip are misleading this way because the author doesn't really conform to standard conventions. Of course, that is pretty obvious once you use the software for awhile. It still doesn't properly support UAC.
7-Zip doesn't appear to contain an auto-updater or an "update me" button.
Just checked keka on macOS, and it uses the p7zip code.
Sounds like a fun project.
It may be that the blog post is difficult to understand simply because I have written it poorly...
This is not a vulnerability: