×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Archive Formats Kill Antivirus Products

kdawson posted more than 6 years ago | from the fuzz-in-the-zip dept.

Security 115

nemiloc sends us to the F-Secure blog for breaking news about widespread vulnerabilities in programs that process archive files: "The Secure Programming Group at Oulu University has created a collection of malformed archive files. These archive files break and crash products from at least 40 vendors — including several antivirus vendors... including us." Here is test material from OUSPG and a joint advisory from Finnish and English security organizations. It isn't news that security products can have have security vulnerabilities. What makes this advisory important is that antivirus software is a perfect target. It is run in critical places with high privileges and auto-updates to keep versions coherent.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

115 comments

That's nothing (5, Funny)

Anonymous Coward | more than 6 years ago | (#22785666)

Windows can crash over 9000 products.

Re:That's nothing (0)

Anonymous Coward | more than 6 years ago | (#22786104)

"What does the antivirus scanner say about his virus infections?"

"IT'S OVER NINE-THOUSAAAAND!!!"

Re:That's nothing (0)

Anonymous Coward | more than 6 years ago | (#22790178)

So, does that mean my computer will get AIDS?

Re:That's nothing (0)

Anonymous Coward | more than 6 years ago | (#22791334)

Sure enough - it seems that Windows crashes itself when you try to load the files from the CD! Bullocks with "not vulnerable". Wonder how many others listed as "not vulnerable"?

first! (0)

Anonymous Coward | more than 6 years ago | (#22785682)

first!

Re:first! (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#22786250)

zeroth!

Secure Platform without Anti-virus (4, Insightful)

SpaceLifeForm (228190) | more than 6 years ago | (#22785684)

Is probably more secure.

I don't need to mention names, you know.

Re:Secure Platform without Anti-virus (5, Insightful)

JeanBaptiste (537955) | more than 6 years ago | (#22785756)

Cool. I need to run MS SQL server, it's the only one that my company's workflow software will run on. Also our enterprise app is all written in ASP. We also have lots of Exchange users. It would probably take years and years to convert all these things over to something else, probably with downtime and data loss.

Your 'solution' may work for some, but probably not for most, and for the rest of us, thats what these articles are posted for!
 

Re:Secure Platform without Anti-virus (5, Insightful)

TheRaven64 (641858) | more than 6 years ago | (#22785866)

That's okay, the money has already been allocated, because you factored in the cost of migrating away from the platform as part of the TCO. You did include migration costs in your TCO calculations when purchasing the workflow software and Exchange, right?

Re:Secure Platform without Anti-virus (1)

JeanBaptiste (537955) | more than 6 years ago | (#22785930)

migration generally does not mean an entire re-write of everything from the ground up, which is what this would be.

Re:Secure Platform without Anti-virus (0)

Anonymous Coward | more than 6 years ago | (#22786240)

Wow, sounds like whoever architected your solution really screwed the pooch!

Re:Secure Platform without Anti-virus (3, Informative)

Neil Hodges (960909) | more than 6 years ago | (#22786550)

You had to write it up the first time with Exchange (and so forth), didn't you? Wouldn't that have added to the 'TCO' of setting up your first system?

Re:Secure Platform without Anti-virus (0)

Anonymous Coward | more than 6 years ago | (#22786706)

All you have to do is change your data access layer of your application to migrate away from SQL Server/Exchange, no big deal, relatively speaking.

Re:Secure Platform without Anti-virus (2)

SatanicPuppy (611928) | more than 6 years ago | (#22787698)

No. We factored in the costs of losing our jobs because the PHBs wanted Exchange.

Seriously. I love Linux, but treating people like they're morons for having to support a Windows system is unrealistic.

Re:Secure Platform without Anti-virus (1)

call-me-kenneth (1249496) | more than 6 years ago | (#22788036)

There is only one good thing about small town
There is only one good use for a small town
There is only one good thing about small town
You know that you want to get out

When you're growing up in a small town
You know you'll grow down in a small town
There is only one good use for a small town
You hate it and you'll know you have to leave

-Lou Reed

Re:Secure Platform without Anti-virus (0)

Anonymous Coward | more than 6 years ago | (#22788776)

i like the part where he says "little pink houses for you and me!!!"

Re:Secure Platform without Anti-virus (1)

cobaltnova (1188515) | more than 6 years ago | (#22786132)

Three (two?) words: Vendor lock-in.

Re:Secure Platform without Anti-virus (2, Insightful)

jimicus (737525) | more than 6 years ago | (#22786906)

Three (two?) words: Vendor lock-in.

Unless your employer is prepared to pay for code to be written specifically for every little business requirement that no half-decent Free solution exists for, I defy you to avoid vendor lock-in. Commercial applications with fully documented data schemas are more or less non-existent.

Email solutions are easy. They've been done to death. So have office applications - wordprocessors, spreadsheets, that kind of stuff.

Groupware is harder, but not impossible. It becomes much harder, however, if "seamless Outlook or similarly featureful client app integration" is a requirement.

Accounting solutions aren't easy either - they're boring to write and have to account for every nations' tax legislation in their localisation - and they need to be updated rapidly if that legislation changes. Neither is payroll for much the same reason. Even if the app vendor hasn't tied their app to a specific database (unlikely), they'll have the most horrendous schema with zero documentation.

As soon as you get into the realm of particularly specialist software for a given market, forget it. The goal of business is to make money for the investors, not a bunch of unknown software developers, so if something off the shelf can be purchased for a quarter of what it'll cost for something to be custom written, guess what will happen. Vendor lockin is a bridge that shall be crossed when it is reached.

Re:Secure Platform without Anti-virus (4, Insightful)

Ed Avis (5917) | more than 6 years ago | (#22786174)

I need to run MS SQL server, it's the only one that my company's workflow software will run on.
Have you investigated porting to Sybase? It's pretty similar.

Also our enterprise app is all written in ASP.
Have you looked at Chili!Soft ASP? Or if you're using ASP.NET, Mono?

We also have lots of Exchange users.
Gotta admit, this is harder to migrate from once all your data is locked up in those binary PST files.

But you have a point that many people, yourself included, are stuck with Windows. It wouldn't be easy to migrate. Much more convenient to buy some crappy virus scanner and keep the plates spinning.

Re:Secure Platform without Anti-virus (1)

Skater (41976) | more than 6 years ago | (#22786946)

We also have lots of Exchange users.
Gotta admit, this is harder to migrate from once all your data is locked up in those binary PST files.
My workplace is soon switching from Domino/Lotus Notes to Exchange/Outlook.

I'm not sure whether to laugh or cry.

Re:Secure Platform without Anti-virus (1)

monsted (6709) | more than 6 years ago | (#22793030)

Laugh. Even if Exchange/Outlook is the root of all evil (i quite like it, actually), it's still a far better product than Notes.

Re:Secure Platform without Anti-virus (1)

prshaw (712950) | more than 6 years ago | (#22787104)

>>once all your data is locked up in those binary PST files

I have heard this mentioned a few times. Where are these binary PST files? Is that where the exchange server is storing everything in? One big PST file?

I know that one my home system we don't have PST files on the workstations, all the data is stored on the exchange server and I cannot find any PST files there. I need to find them so I can get them backed up. Otherwise the Exchange backup's that I do make probably aren't worth much.

Re:Secure Platform without Anti-virus (4, Informative)

Drantin (569921) | more than 6 years ago | (#22788054)

Normally, in order to keep the system functioning nicely on large systems, the users will have mailbox limits, in order to keep older mail they create personal archive files (or whatever they're actually called) These archives with the extension of PST allow them to move mail from the exchange server into them and they have room for more mail while keeping the old stuff...

Re:Secure Platform without Anti-virus (0, Troll)

beckerist (985855) | more than 6 years ago | (#22787216)

Sybase / Adaptive Server Anywhere (as it's called now) is NOT ANYTHING like MSSQL. OLE DB vs ODBC, MSSQL requires an insane amount of resources comparatively, many syntax differences including table referencing, restoring, OS commands (ASA can run in Linux.)
Licensing for ASA is about 20% the price of MSSQL. MSSQL CAN do indexed views and multiple triggers, where ASA cannot. Naming conventions are shorter in ASA.

Also, don't even get me STARTED on security. I work for a software dev company that uses both platforms and I still refuse to touch MSSQL if I can help it. Not because I'm anti-Microsoft but because there are so many fundamental differences between the two that I'm not willing to completely relearn a "new" SQL syntax for it. I feel bad if you're stuck with MSSQL but migrating to ASA FROM MSSQL would suck even worse in my opinion.

Re:Secure Platform without Anti-virus (1)

deroby (568773) | more than 6 years ago | (#22788770)

Funny, I "grew up" on MSSQL (6.5 and up), and although I'll admit that 2005 and 2008 are starting to look more like a development platform rather than a RDBMS, my experience with Sybase (ASA) has been more or less identical to yours towards MSSQL.

I guess it all comes down to what you're used to. IMHO both are adequate at what they do, it's just that none of us likes to change / turn-away of what he knows best.

PS: a "few" years ago (around 2002 I think) we spent several months working with some (very smart) guys from Sybase and as far as I remember, most of the "porting" was linked to working around the limitations of Sybase (4k vs 8k pages, some stuff simply not being possible, no job-agent, no DTS, ... and that was mssql7 which was still very close to it's Sybase roots), in the end management got anxious about the entire port getting to expensive and ditched the project, it was an interesting experience none the less. Haven't looked into ASA since, so probably my 'vision' is way backdated now. When I come to think of it, a major lack of GUI didn't help either, I sincerely hope that 'gap' has been closed now...

Re:Secure Platform without Anti-virus (0)

Anonymous Coward | more than 6 years ago | (#22787746)

We also have lots of Exchange users.

Gotta admit, this is harder to migrate from once all your data is locked up in those binary PST files.


Ummm, have you ever used Exchange? Exchange does not store data in PST files.

Outlook can store data in a PST file (but doesn't have to). Exchange & Outlook are completely separate programs that can be used independently from each other. Both Exchange & Outlook support pop & imap. There are some advantages to running Exchange & Outlook together though.

And yes, PST files are a proprietary binary format from Microsoft, but there are lots of import/export/repair/archiving/backup tools out there for PST files (and for Exchange).

There is one killer app that prevents a company from using exim/courrier/qmail/maildir/mbox for their email system: you will get a second-rate blackberry experience. To take advantage of the real power of the blackberry platform, you need a Blackberry Enterprise Server (BES) from RIM. BES only runs on windows, and requires Exchange, Notes, or Groupwise. Take it or leave it.

Without a BES, you can use the free Blackberry Internet Service (BIS) from your cell phone company, but BIS is a joke compared to BES.

Re:Secure Platform without Anti-virus (1)

Deagol (323173) | more than 6 years ago | (#22788474)

I'm sorry, but *any* system that stores email in a binary database is simply lame. Period. Really, the only decent format is something like the Maildir [wikipedia.org] format -- where each message gets its own file. It's as close to elegant for mail storage as you can get these days, easy to backup/restore, less prone to breakage (mbox, here's looking at *you*), and is easy to otherwise massage and manipulate via automated means. Sure, you can't run SQL queries for finding content, but find+grep sure does one hell of a job in that department.

The fact that there's a cottage industry for "import/export/repair/archiving/backup tools out there for PST files (and for Exchange)" speaks volumes about the underlying approach itself: it's fragile and not worth using.

I'm not bashing Windows or Exchange, specifically, but *any* system that stuffs email into a database. I assume this includes Notes/Domino and other like systems. I'm pretty sure there are UNIX solutions (Free, free, or otherwise) that fit this classification as well. It's simply a bad, bad approach to email, whether it's on the server *or* the client -- in which case Exchange/Outlook gets two thumbs down.

Re:Secure Platform without Anti-virus (0)

Anonymous Coward | more than 6 years ago | (#22787868)

most exchange users are IMAP aren't they? no .PST's there...

Re:Secure Platform without Anti-virus (0)

Anonymous Coward | more than 6 years ago | (#22790664)

I no longer use MS Office at home. Outlook is the only thing I miss. I miss those PST files. All of my mail was right there in one file, easily backed up and ported to another computer. Don't give me the PST corruption flak. That was a problem in the pre-Outlook 2000 days, but I have not seen a PST go bad since Outlook 2000. However, I find it a nice, organized practice to sort mail into different PSTs by year. I found it quite easy to import my PST into Thunderbird, which I believe uses the standard mbx format. What sucks is trying to import Novell Groupwise mail into Outlook/PST. Or trying to go back to Outlook/PST from mbx format. I MISS MY PST!!!

Re:Secure Platform without Anti-virus (2, Interesting)

fred fleenblat (463628) | more than 6 years ago | (#22786188)

Also, this isn't a FOSS vs. Microsoft thing even though many people make it out to be. For maximum protection against malware I'd actually go for Oracle on Solaris or AIX, all of which are closed source.

hmm, actually, if only for virus protection... (1)

someone1234 (830754) | more than 6 years ago | (#22786326)

I go with try Eniac.

Re:hmm, actually, if only for virus protection... (2, Funny)

Chris Mattern (191822) | more than 6 years ago | (#22787102)

Are you kidding? Do you know how long it's been since Eniac came out with security update patches?

Re:Secure Platform without Anti-virus (2, Interesting)

bryce4president (1247134) | more than 6 years ago | (#22787944)

Last time I checked we don't run anti-virus on our IBM midrange servers...hmmmm... but IBM is so old that its not even cool to try to hack it right?

Re:Secure Platform without Anti-virus (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#22786898)

Wow, I've never seen a person so proud of having gotten locked-in in a very stupid manner before.

Re:Secure Platform without Anti-virus (4, Insightful)

IllForgetMyNickSoonA (748496) | more than 6 years ago | (#22787118)

This is a usual argument, I know. However, each time I read it, I can't help but to ask myself "whose fault is it?" The answer is obvious, isn't it?

It's unfair to pretend non-MS solutions are somehow expensive because it's so hard to break free from MS once you allowed yourself to get hooked into their proprietary world. You could just as well have developed your enterprise apps in something other than ASP, haven't you?

OK, I know I'm probably barking up the wrong tree here - probably it's not *your* fault after all. But I guess you know what I'm trying to point out.

Re:Secure Platform without Anti-virus (1)

WNight (23683) | more than 6 years ago | (#22788946)

That, and what's the cost to reimplement the system or port the data knowing what you now do?

Even if Outlook/Exchange were totally a black box, you could still write a screen scraper (like UI testing apps do) and export the data as maildir + data which could be stored in a DB, for anything not email related (calendar, etc).

You might have a huge clunky 500kloc business system that is essential to the company. But could it be replaced by an off-the-shelf CRM, issue-tracking, and a much smaller leaned reimplementation of the essential functionality in a modern fashion?

This is an example of throwing good money after bad. They built the system, it barely works with the efforts of a team of geniuses - it MUST be good. Something that good has to be valuable, and hard to create (see the value), so it could never be rewritten in.

It's a joke how some companies do software engineering.

I mentioned writing a nifty test CRUD/RWUD website in Rails and how I thought my clients would like something similar. A coworker cited some 'rails is doomed' article on how rails can't scale and explained how it wasn't right to do the job in less than Java, because it's what banks use, and then he keeps going on about enterprise beans...

Many clients I've worked with seem to have started a project with him.

They pick the safe industry standard language, Java or C++, and a host of third-party additions for both. Then they proceed to UML-diagram their software patterns and it gets really crazy. A hundred-thousand lines of support code later and they're ready for the actual business logic.

It'd be a joke, if it wasn't everywhere. And infectious. Once they've wasted a fortune on development they'll never investigate something cheaper.

In other companies, the sysadmin is also a hobbyist programmer. In a few slack weeks he rewrites the system in Rails, and because hardware has increased ten-thousand fold in terms of speed and storage since the original was spec'ed, it performs better than the original did even if it doesn't "scale" well.

Anyways, it's all dependent on the client being able to see what of their code/data they really need. If they say it's ALL the most precious, every last line of it, they're doomed. It can be really hard for them to admit they might have been wrong all that time.

Re:Secure Platform without Anti-virus (1)

call-me-kenneth (1249496) | more than 6 years ago | (#22787910)

Indeed. It is your fate to be a terrible warning to the younger generation of the perils of locking yourself into a single vendor's closed proprietary system. If you make a ginormous effort it might be possible to get it replaced with a libre alternative, but doubtless there will be interop and TCO reasons to stay with everything on that one vendor - cos your web apps would need to be rewritten to support the different backend, and then you won't be able to use whatever gold-plated handcuffs MS have up their sleeve to keep you on the junk at that point. You have my sympathy.

Re:Secure Platform without Anti-virus (1)

icydog (923695) | more than 6 years ago | (#22789336)

I need to run MS SQL server, it's the only one that my company's workflow software will run on.

What is this software that you run? Even Microsoft's own solution, Dynamics AX, runs and is fully supported on Oracle.

Re:Secure Platform without Anti-virus (1)

Nimey (114278) | more than 6 years ago | (#22786428)

If only I could get my Apple //c on the Internet.

Re:Secure Platform without Anti-virus (4, Funny)

SQLGuru (980662) | more than 6 years ago | (#22786890)

Apparently, you're just too lazy to work on it.....this guy went so far as to make an Apple II web server:
http://www.ld8.org:6502/ [ld8.org]

Or a list of other older Apple hardware http://www.ld8.org/servers/servers_apple2.html [ld8.org]

Layne

Re:Secure Platform without Anti-virus (1)

Nimey (114278) | more than 6 years ago | (#22787154)

That's a //e. The difference is that the //c isn't expandable, aside from some hacks for extra memory or a faster processor. They're making that work by using a custom expansion card (Uthernet) in one of the //e's slots.

Re:Secure Platform without Anti-virus (2, Informative)

DaveWick79 (939388) | more than 6 years ago | (#22786824)

Did anyone read TFA and realize that of the programs that were known to be vulnerable, the majority were various brands of Linux?

Re:Secure Platform without Anti-virus (2, Insightful)

orclevegam (940336) | more than 6 years ago | (#22787002)

Did anyone read TFA and realize that of the programs that were known to be vulnerable, the majority were various brands of Linux?
Actually Linux isn't vulnerable, but some of the common utilities are. Upgrading bzip2 and tar to the latest versions should fix any vulnerabilities. Also hit hard it seems was Symantec with the common library all their utilities use for handling compressed files being compromised, and hence virtually all of their products across the board.

Re:Secure Platform without Anti-virus (1)

DaveWick79 (939388) | more than 6 years ago | (#22791600)

The compatibility list didn't go into detail on what portion of the software was affected. I just noticed that MS was pronounced as unaffected and yet many linux distros were? Just making the point that it's not always MS stuff that gets hit by the bug. I would have thought that whoever made the bzip2 and tar software would have been mentioned rather than the distro if that were the only issue.

Actually the article linked to stated that Symantec tested all their products against the bug, and found that it was not affected. Where did you get your info about them from?

Re:Secure Platform without Anti-virus (1)

rtaylor (70602) | more than 6 years ago | (#22789422)

Really? Any platform that allows you to execute binaries, scripts, or other code as a normal user with minimal permissions is going to be a problem.

Oddly enough, people don't care about the OS. They care more about the data files in their home directory than anything else.

Re:Secure Platform without Anti-virus (1)

Torvaun (1040898) | more than 6 years ago | (#22790620)

That's not odd, an OS is easy to replace. Data is where things get difficult/expensive.

Question (1, Funny)

TheMeuge (645043) | more than 6 years ago | (#22785688)

So is this evolution, or intelligent design?

Re:Question (1)

Missing_dc (1074809) | more than 6 years ago | (#22786274)

IMO, it is evolution, since it appearsto be a challenge-response environment, they did not design viruses from the start to crash antivirus software 30 years in the future.

why bother checking archives anyways? (1)

JeanBaptiste (537955) | more than 6 years ago | (#22785706)

... isn't a real-time scanner going to catch it when you try to extract/use it?

Re:why bother checking archives anyways? (2, Informative)

thyrf (1059934) | more than 6 years ago | (#22785826)

It needs to be identified as such first anyway and that's what's crashing it.

There's breakage and there's breakage (5, Informative)

davidwr (791652) | more than 6 years ago | (#22785876)

There's

1. "I had an exception processing file ABC.ZIP, skipping file,"
2. Crashing and dying without handling the exception, and
3. Being exploited due to an unexpected condition.

The first lets viruses hide in carefully-mis-crafted archives.
The second lets viruses deactivate antivirus software.
The third lets viruses 0wn j00.

Some AV software is smart enough to log instances of #1.

Re:There's breakage and there's breakage (0)

Anonymous Coward | more than 6 years ago | (#22786278)

Really smart AV software would run the decompressing and scanning code in another process so #2 and possibly #3 could be logged as well.

Re:There's breakage and there's breakage (5, Interesting)

mea37 (1201159) | more than 6 years ago | (#22786722)

Really smart AV software wouldn't make assumptions about the contents of the file (eliminating #3), would always check for exceptions (eliminating #2), and would treat a processing exception pretty much like a virus (neutralizing #1).

Very little software in practice is that smart. But with AV, you know you're at war with the file you're scanning. Any AV vendor caught by this should be embarrased.

Re:There's breakage and there's breakage (1)

orclevegam (940336) | more than 6 years ago | (#22786972)

The IDS software I run blocks access to any file that it can't scan unless you specifically allow access to that file. It scared me a bit the first time I ran it because it reported a couple possible infections, but after looking at the details I realized it had flagged them because an open for read had failed (they were locked by another application).

Re:There's breakage and there's breakage (0)

Anonymous Coward | more than 6 years ago | (#22786682)

Last time I looked - Mailscanner

1. AV took too long to process file - blocked
2. AV crashed checking file - blocked
3. AV process owned ( not root ) good luck with that

Proofread? (1)

Missing_dc (1074809) | more than 6 years ago | (#22785918)

"It isn't news that security products can have have security vulnerabilities."

While two negatives make a positive, two positives do not make a negative.

Re:Proofread? (4, Insightful)

gnasher719 (869701) | more than 6 years ago | (#22785990)

While two negatives make a positive, two positives do not make a negative.
Yeah, right.

You Win (0)

Anonymous Coward | more than 6 years ago | (#22786198)

You win, gnasher719. As far as I'm concerned, you have just won the internet.

Re:Proofread? (1)

Missing_dc (1074809) | more than 6 years ago | (#22786214)

That would not count, as the positives in your rebuttal would be affected with a separation clause and it's accompanied pause.

Re:Proofread? (1, Informative)

Anonymous Coward | more than 6 years ago | (#22786382)

You're not allowed to join a grammar conversation unless you know the difference between "it's" and "its."

Re:Proofread? (1)

phulegart (997083) | more than 6 years ago | (#22786610)

Hearing
"I'm positively furious at you young man, and I'm positive your father is going to take the belt to you when he hears about this!"

Created`some rather negative feelings in me, growing up... but otherwise I agree.

Re:Proofread? (1)

Redneck Hacker (1105905) | more than 6 years ago | (#22787582)

While two negatives make a positive, two positives do not make a negative.
Sure they do; it's called overflow. For example, x7FFF + x0002 = x8001. In 16-bit 2's complement, that translates to 32767 + 2 = -32767.

Archive Formats Kill Antivirus Products (1)

spacemky (236551) | more than 6 years ago | (#22785926)

RIP Symantec AntiVirus; Oh AVG, how I will miss you!

Re:Archive Formats Kill Antivirus Products (2, Informative)

Anonymous Coward | more than 6 years ago | (#22787520)

RIP Symantec AntiVirus; Oh AVG, how I will miss you!
If you had bothered to read the article, you'd know that Symantec AV is not affected and it is unknown if AVG is affected.

Old Problem (4, Informative)

Detritus (11846) | more than 6 years ago | (#22785996)

Similar problems have appeared in other file formats and packet formats. Even without deliberate attacks, data corruption can crash applications and systems that are insufficiently paranoid about the data that they receive and process. Do you want it fast or do you want it correct?

Re:Old Problem (2, Insightful)

Xtravar (725372) | more than 6 years ago | (#22786638)

Do you want it fast or do you want it correct?
Do I want it fast 99.99999999% of the time with a 0.00000001% chance of incident, or do I want it slow 100% of the time with a 0% chance of incident?

If correcting the repercussions of the incident takes less time than the total time lost by doing things the correct way, then I will take the fast way, please.

Re:Old Problem (2, Insightful)

DRAGONWEEZEL (125809) | more than 6 years ago | (#22786922)

You just did "Cost benefit analysis" or sometimes called Risk Analysis.

That is the same thing that says, do I leave an unsecured wireless AP, or a lightly secured WEP AP that shows I did at least due dilligence?

For personal Machines, I'd take the fast way, for shure, assuming data is backed up regularly.

For corporate machines,(in general,Caveat emptor, and risk assesment would need to be performed on a per machine basis.) I wouldn't trust an icecubes chance in hell (hey, what if Satan has a freezer?), it'd be slow and working 100% or not implemented. (again, for the most part)

The thing is, Great amount of work can be lost (or Stolen) in just a days time. Also, most people don't save (or backup) incrementally throughout the day, they save at the end of the day and if they are really good, sometimes at lunch too.

Hell, I am a computer nerd, and I only back up quarterly. (in addition to saving most "true work" to the network drives)

Re:Old Problem (1)

call-me-kenneth (1249496) | more than 6 years ago | (#22788112)

Older than you think [mitre.org] , perhaps.

What really gets me is that every couple of years the University of Oulu Secure Programming Group comes out with another few dozen application vulnerabilities they've found by just fuzzing a new protocol. First they did SNMP, the ASN (part of OpenSSL, to a first approximation), H.323 ... I don't know who's got tenure over there, but damn! I'm glad they're on our side.

Can't wait. (0, Redundant)

flatcat (464267) | more than 6 years ago | (#22786112)

Click here to install our crack for xyz software ( test material from OUSPG )
If that did not work click here for our other version ( install virus of choice )
    Small chance you will need this version ;) since we are great coders.

Sounds like fun.

Re:Can't wait. (1)

orclevegam (940336) | more than 6 years ago | (#22786482)

Click here to install our crack for xyz software ( test material from OUSPG )
If that did not work click here for our other version ( install virus of choice )
Small chance you will need this version ;) since we are great coders.
Huh, my AV software just crashed, my IDS is throwing a fit, and my registry monitor is blocking a bunch of changes to the startup keys. Something tells me I don't want to run this installer. Guess I need to reset this VM instance back to baseline.

isn't this where unix shines (1)

RiotingPacifist (1228016) | more than 6 years ago | (#22786602)

It is run in critical places with high privileges and auto-updates to keep versions coherent.
run tar at low privileges, then scan the pipe like a normal file.
for most files theres no need to give the scanner an privaleges
only needs read access to itself and system files 90% of the time.

in fact even on windows, why do virus scanners need high privileges?

Re:isn't this where unix shines (1)

Joe The Dragon (967727) | more than 6 years ago | (#22786858)

so they can scan stuff at system level, update them selfs without need a admin to log on to the system, to be able to delete files, make it so that limited uses can trun off the scanners/ and so on.

Re:isn't this where unix shines (1)

RiotingPacifist (1228016) | more than 6 years ago | (#22787228)

But it wont need root to scan them, it only needs root to act on the results. Surely a master process can run the tar, scan programs, then if it finds a file decides if it needs root to fix it, if it does, then it launches fixer with root privileges. As for auto-update, a similar technique could be employed, although with advance user privileges (i think vista has them), you could launch an update program without root, but with access to update the program and nothing else (especially not itself).

I always asked for confirmation before the scanner did anything, so in that case, it wouldnt even need root, only need to be able to ask for root.

Re:isn't this where unix shines (1)

afidel (530433) | more than 6 years ago | (#22786862)

I'm guessing it's because they run as a filesystem filter driver and so need privileges to attach to the filesystem layer. They also need to poke about in memory and attach to running processes (eg attach to Outlook to scan incoming mail). It should be possible to separate the data capture portion from the analysis portion but it would probably be much harder to design and test.

Re:isn't this where unix shines (1)

RiotingPacifist (1228016) | more than 6 years ago | (#22787368)

isnt that exactly where a unix aproach would pay off.
a root outlook looker, looks at outlook (but the looker is small so hard to exploit)
a non-root unzip, unzips and passes it on
a non-root scanner, to scan the file then pass on the conclusion
a root cleaner, to take any actions (may not even need root)

by reducing the code that runs with root privileges you reduce the chances of an exploit in root code.

Re:isn't this where unix shines (2, Informative)

Ephemeriis (315124) | more than 6 years ago | (#22787380)

in fact even on windows, why do virus scanners need high privileges?
Typically, on a Windows system, antivirus software will embed itself into the operating system fairly deeply. They usually scan all file I/O in real-time, watch memory for suspicious things, and sandbox much of what is run. It isn't as simple as just scanning files here and there. Most Windows antivirus software installs itself (or parts of itself) as a service and starts running even before the shell comes up.

Bad programming (2, Interesting)

dabadab (126782) | more than 6 years ago | (#22786738)

You DO test your product with malformed archives, don't you? I know I do. And our product - if possible at all - ignores the problems and extracts the archive anyway or if it's borked beyond recovery then report it as such. But crashing?... Please.

Surprise Surprise (1)

angus_rg (1063280) | more than 6 years ago | (#22787056)

Fsecure blog just reported more breaking news: It could rain today......

It has been years since the viral jpeg, pdf, etc, etc, and viruses have been getting packed in archival formats to avoid detection for ages. I can't say this is earth shatteringly surprising news.

Confused as to the severity of this. (1)

v(*_*)vvvv (233078) | more than 6 years ago | (#22788326)

A zip file can crash the anti-virus software when it tries to scan it? Is that what this is about? But why does it have to be an archived file, and not just any file? I was under the impression that any file could possibly crash any program that trips over an unexpected error....

Also if you need to unzip a random file for the virus to release, then how is that much different from your typical .exe attachments that you're not suppose to execute.

That's been going on for ages!!! (4, Interesting)

mrmeval (662166) | more than 6 years ago | (#22788974)

My favorite is using pkzip to zip up a ~200meg+ file to kill automated virus checkers. ;) The harddrives in the hey day of command line pkzip were small and this would kill some twits BBS because the virus checker would blindly unzip the file then check it without checking that it would fill the drive. The next version of the software just looked at what the zip file said..but you could edit the zip to say anything and it would still decompress the whole file.
The next version did fix that finally...for pkzip. ;)

Using social engineering that is rather inept by todays standards I convinced several people on usenet to not read the text telling that it could cause problems but to just blindly open the doubly zipped file (it gets smaller when doubly zipped a certain way so I made it 2G to start).

I did the same thing with PGP which could allow one to kill an encrypted anonymous remailer and I also nailed several people by posting the PGP message with a passphrase. PGP compresses files prior to encryption. I didn't mess with the remailer without asking permission. The person running it was a bit surprised.

Linux commands:
dd if=/dev/zero of=hi bs=1024 count=200512
zip hi.zip hi
Result -rw-r--r-- 1 bogus bogus 199411 2008-13-48 18:04 hi.zip

zip -9 ho.zip hi.zip
Result -rw-r--r-- 1 bogus bogus 846 2008-30-81 18:13 ho.zip
I'm not sure why but using -9 to start does not make the original super small it only works the second time.

If you want to assault a fractal compressor, just insert a non-finite automata and have at them. You get points if it's video and draws frame after frame of something inappropriate.

40 vendors? No, F-Secure got you with its spin (0)

Anonymous Coward | more than 6 years ago | (#22790342)

This is why you should link the original FA and not a self-interested blog post. Out of 40 or so products listed, most of which with no confirmation either way, F-Secure was the only AV confirmed to be vulnerable. The handful of other vulnerable products are simple archive readers like 7zip or related functionality in operating systems -- likely at the end of the day you'll find that the vulnerability was developed against zlib and as a result anything that uses it will be vulnerable too.

Re:40 vendors? No, F-Secure got you with its spin (0)

Anonymous Coward | more than 6 years ago | (#22792702)

Or rather they were the only one man enough to admit they had bugs. Reading the university webpage they tested 5 anti-virus products and 4 failed (the fifth supported only a small subset of archive formats in the first place, missing e.g. bz2 which had a generic bug in the reference implementation).
If you want to know for sure, download the test suite and run it through your AV software. If it's fine, try an older version (say 6-12 months old) and retest. If either of them fail your vendor is just covering their asses and has silently fixed buges in an auto-update.

It's not lupus? (1)

Wiseman1024 (993899) | more than 6 years ago | (#22793056)

Isn't a program that compromises your antivirus and makes it attack your system an autoimmune disease? It could be lupus!
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...