It appears that F-Secure http://www.f-secure.com/weblog/archives/00001949.html
Trend http://countermeasures.trendmicro.eu/you-just-cant-trust-a-drunk/ Sophos http://www.sophos.com/blogs/gc/g/2010/05/11/khobe-vulnerability-game-security-software/ and ESET http://www.eset.com/blog/2010/05/11/khobe-wan-these-arent-the-droids-youre-looking-for have posted their 'is-the-game-over' type response. Juha-Matti Nick FitzGerald [[email protected]] kirjoitti: > Rich Kulawiec wrote: > > > I'm not qualified to evaluate this research on its technical merits, > > but I believe that some of you are. > > It's a race attack against a classic TOCTTOU (pr. "tock-too"; time-of- > check-to-time-of-use) vuln. > > The advisory's authors apparently don't know that terminology, but it's > a class of security vulnerability that has been known for about as long > as we've known about security vulnerabilities. IIRC (never actually > laid eyes on the report myself) this is one of the categories in the > (in)famous RISOS Project (Research In Secured Operating Systems) > reports from the early 70s. The typical "fix" to avoid such > possibilities is use of a critical section (it's why they were > invented, I think) or to make special atomic functions that are > effeectively chains of "smaller" functions. Neither is > reasonable/possible here -- as I understand the advisory, the code that > needs protection against this TOCTTOU can be arbitrarily pre-empted by > the scheduler and it would (probably) take significant re-architecting > of Windows to provide an atomic function for this special anti-malware > purpose (and that would have to be made non-pre-emptible). > > The advisory's authors suggest they have a solution, but they only make > that information available to their paying clients. > > > > Regards, > > Nick FitzGerald > _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
