1. 41

  2. 3

    I’m a little confused by how a link could trigger this. Does Symantec intercept all read() syscalls or something? So you could send a really big link and trigger a buffer overflow?

    1. 6

      Because Symantec use a filter driver to intercept all system I/O

      1. 3

        I read that, but I couldn’t believe operating systems would let an application do that ? Is that true of all OS’s? What are the legitimate use cases?

        1. 4

          For filter drivers specifically, wikipedia mentions some use-cases, although it seems to me that those use-cases don’t actually need to be in a driver.

          To nitpick your question just a bit, it’s a driver, not an application the kind of which one might install on their smart phone on a whim.

          Because drivers require low-level access to hardware functions in order to operate, drivers typically operate in a highly privileged environment and can cause system operational issues if something goes wrong [wiki/Device_driver]

          Is letting users install drivers that run in ring0 (i.e. like-the-kernel) a bad idea? Seems that way. Is it possible to provide “low-level access to hardware” without running code in ring0 unhindered? Yes, but there are trade-offs with performance and complexity.

          Remember that these are the same kinds of programs as those which talk to a video or a network card. Surely we want to allow third parties to make hardware with an interface “on an equal playing field” with the kernel. Surely we don’t want to add layers of abstraction or security constraints which slow things down there. Surely it’s easier to make sure everyone who writes code there is really really careful, given the risks.

          What I understand least about all this is the lack of a reaction here.

          1. 5

            Why should it? Is this news realistically expected to impact their sales forecasts? Honestly, even if investors did care about this sort of stuff, Tavis has been hammering away at AV products for a while now and found horrendous vulnerabilities in the majority of the big players. If there’s a secure alternative AV product out there, I’ve yet to hear about.

            1. 4

              Is this news realistically expected to impact their sales forecasts?

              Presumably people buy Stmantec products to improve rather than degrade workstation security, it’s their whole value proposition and this would seem to cast significant doubt on that. You might argue consumers are unlikely to even hear of this bug, but Symantec has a lot enterprise customers, I’d expect a majority of their net at this point, who should have someone who can both make purchasing decisions and whose confidence in the company is shaken by this finding.

              1. 2

                Oh, I’d definitely be disturbed and have lost some/a lot of confidence if I was a Symantec customer. My point is I don’t think they’re substantively worse than the competition. So there’s still going to be the same demand for security software, and I can’t see this news causing people to jump ship. Honestly, the PR impact is going to be far more dictated by their response to the flaw and speed of patching than the flaw itself.

                1. 1

                  All AV software has remote code execution vulns in ring0 on their main platform? Citation required.

                  Writing secure software isn’t impossible or even hard, it’s about putting in the effort. Google is putting in the resources to reverse engineer and find errors in Symantec’s shoddy work, ostensibly because they care about security. If Symantec cared enough, they’d have hired someone like Tavis to do code reviews.

                  The most straightforward conclusion seems to be that Symantec isn’t in the security business, but in the bureaucratic ass covering business. Their flagship products do not add to an organization’s security and are obsoleted by modern methods of sharing documents and distributing applications. There might still be useful work to be done in scanning websites for exploits before a browser renders them, but with evergreen browsers now the norm, the amount of time between an attack being used and fixed is a lot shorter than it used to be.

                  What am I missing?

            2. 4

              What I understand least about all this is the lack of a reaction here.

              Because society cares very little about computer security unfortunately.

      2. 3

        <ironic>I believed that an antivirus was made to protect us, not to add additionnal weakness. I’m sooooo disapointed … </ironic>

        1. 4

          I have a long-held conspiracy-theory belief that anti-virus companies contributed to the development of new viruses, at least back in the 90s/00s. What better way to keep selling your product than to have to constantly update it with new virus definitions. Oh your virus scanner picks up more viruses than the competitor? Surely it’s not because you secretly funded the development and release of those new viruses.

          I feel the same unease with other companies that provide protection services like DDoS and e-mail spam filtering. They can’t be too effective or they’ll put themselves out of business, so there has to constantly be a threat looming.

          1. 5

            On the one hand, I’m sympathetic to why people take that viewpoint, as it does make some sense in a conspiratorial way. But it’s a bold claim and you’d think there’d be proof, even if only due to one or more of the numerous people who would presumably have to be involved coming forward and spilling the beans.

            The closest I’ve seen w.r.t. AV/Security companies actively working to make systems less secure (uh, intentionally at least), was the fuss several made when Microsoft banned various kernel programming techniques on 64-bit Windows that were in widespread use by AV companies (and malware authors). They lost that battle, because they didn’t really have a leg to stand on, but they certainly tried, and it looked pretty appalling.

            From a strict business PoV, it honestly doesn’t make sense to fund malware authors or similar. Most computers are not going to be able to go without AV or related security software in the foreseeable future, as sad as that is. Software is too vulnerable, written too hastily, with little regard to quality or formal review, and the attack surface of general-purpose computers is simply gigantic. Even if you run a software whitelisting policy, that doesn’t help you with all the files the whitelisted software legitimately has to open (Office documents, PDFs, web content, etc…). We’d need a seismic shift in computing & software architecture, and right now, I see no evidence of that happening any time soon.

            1. 5

              But it still is kinda weird. To reduce the attack surface, you increase it by installing “anti virus” software.

              The “solution” is already there: sandboxing and curated app stores together with automatic (security) updates, assuming you don’t care about the FSFs 4 freedoms or your privacy. You are pretty safe using a Nexus or iOS device that is still supported by Google/Apple.

              1. 12

                I’m glad Microsoft finally made their own anti-virus. They should be the best at writing one, as far as security and OS integration, and would have the least incentive to inflate the numbers of viruses found.

                1. 1

                  I don’t see why someone couldn’t come up with a freedom compatible sandbox …

              2. 3

                I feel the same unease with other companies that provide protection services like DDoS and e-mail spam filtering. They can’t be too effective or they’ll put themselves out of business, so there has to constantly be a threat looming.

                As a seller of a personal data encryption product, I completely agree. The thing is, there are some small businesses out there (like mine) that would happily choose to go out of business if that meant solving the problem. And, at the same time, there may even be large businesses that are sufficiently diversified (like Apple or Google) that are OK with killing off an arm if it means getting two legs. Or something.

                To quote myself:

                The best companies are the ones that expect and encourage the demise of their own industry.