Interesting articles below relate on how anti-malware programs should have long ago abandoned using SSDTs (System Service Descriptor Tables) but which many continue to use - and apparently so does Avast (it’s in the vulnerable list).
“In theory, your antivirus software is worthless”
http://blogs.chron.com/techblog/archives/2010/05/in_theory_your_antivirus_software_is_worthless_1.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+houstonchronicle%2Ftechblog+(TechBlog)
(short URL: http://preview.tinyurl.com/28hprt4)
“New attack bypasses virtually all AV protection”
“Bait, switch, exploit!”
[i]http://www.theregister.co.uk/2010/05/07/argument_switch_av_bypass/[/i]
Avast is in the list of vulnerable products at:
http://www.matousec.com/info/advisories/khobe-8.0-earthquake-for-windows-desktop-security-software.php
(short URL: http://preview.tinyurl.com/2agouty)
Don’t panic with Matousec, in fact that’s what he wants… It’s already discussed here
http://forum.avast.com/index.php?topic=59522.0
I did a search on “register” and “register.co” but didn’t get that other forum thread in the search results. Guess the search here won’t work on substrings. Oh well.
Not much info in that other-forum thread, though. The other-forum thread (at wilderssecurity) isn’t of any value. It’s just some boob lambasting someone without proof, like claiming that Matousec stole someone else’s proof of concept but gives no evidence. Vulnerability in SSDTs were known for a long time and it wasn’t Matousec that claimed to have just discovered the vulnerability. No one discovers anything without some prior information so, of course, Matousec didn’t discover the SSDT problem. Andrey doesn’t give credence to his claim that Matousec stole someone else’s POC code, though. He/she spews out a bunch of conjectures, no proof, and not even rationale suppositions.
What I haven’t seen before is an actually test case to show the vulnerability but then my expertise is not in this field so I could have easily missed it. As to Andrey’s tirade in the other forum, his tone discredits his claims. Considering this poster has made a whopping total of just 7 posts over there (all in one thread) and this other post, he isn’t an established regular that I would trust and also appears, in that thread, to be a malcontent that simply wants to attack someone. Yes, there was prior information about the vulnerability but it was so well known that it would be ridiculous to quote everyone that had mentioned it before (and also track where THEY got their information). When you note a safety issue with, say, a surge protector that goes aflame, you don’t go citing how the plastic was manufactured, how MOVs work, and every piece of data as though you discovered the problem in complete isolation.
“Already discussed here” is misleading because nothing of this issue has been discussed here (or in the link to the other forum that you gave). Your “discussion” is, so far, one other referenced thread here which said nothing that had a link to a thread in another forum by a ranter. Sorry but that doesn’t qualify as a discussion. I though VLK’s response might’ve been a joke. “Not really. Unless the malware is already loaded, none of this is really an issue…” Uh huh, well, that’s always the case with any malware: if it ain’t loaded then it ain’t a problem. What doesn’t exist on your host can’t affect it.
Yes, it’s an old vulnerability with [perhaps] a new POC available to expose that vulnerability. Since it’s so old, why hasn’t Avast addressed it yet? Because they didn’t feel they needed to until someone cropped up to utilize the vulnerability.
Vlk is not joking.
Is Matousec joking with us? ???
There’s been a lot of discussion here and elsewhere about the unrealistic “warnings” and supposed alerts from Matousec. I wouldn’t be at all surprised if, one day in the foreseeable future, they wind up on one or more rogue lists and/or set of blocked URLs.