[iwar] AV software exploits on the horizon?

From: Junkmail Rosenberger (junkmail@barnowl.com)
Date: 2002-02-07 13:47:31


Return-Path: <sentto-279987-4444-1013118455-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 07 Feb 2002 13:50:08 -0800 (PST)
Received: (qmail 26456 invoked by uid 510); 7 Feb 2002 21:47:58 -0000
Received: from n35.groups.yahoo.com (216.115.96.85) by all.net with SMTP; 7 Feb 2002 21:47:58 -0000
X-eGroups-Return: sentto-279987-4444-1013118455-fc=all.net@returns.groups.yahoo.com
Received: from [216.115.97.187] by n35.groups.yahoo.com with NNFMP; 07 Feb 2002 21:47:35 -0000
X-Sender: junkmail@barnowl.com
X-Apparently-To: iwar@yahoogroups.com
Received: (EGP: mail-8_0_2); 7 Feb 2002 21:47:34 -0000
Received: (qmail 18501 invoked from network); 7 Feb 2002 21:47:31 -0000
Received: from unknown (216.115.97.167) by m6.grp.snv.yahoo.com with QMQP; 7 Feb 2002 21:47:31 -0000
Received: from unknown (HELO server-7.tower-15.messagelabs.com) (63.210.62.243) by mta1.grp.snv.yahoo.com with SMTP; 7 Feb 2002 21:47:30 -0000
X-VirusChecked: Checked
Received: (qmail 9215 invoked from network); 7 Feb 2002 21:47:29 -0000
Received: from nospam.barnowl.com (HELO barnowl.com) (206.72.12.109) by server-7.tower-15.messagelabs.com with SMTP; 7 Feb 2002 21:47:29 -0000
Received: from Office01 (unknown [10.1.1.133]) by barnowl.com (Postfix) with SMTP id A6889ED64 for <iwar@yahoogroups.com>; Thu,  7 Feb 2002 15:41:05 -0600 (CST)
To: <iwar@yahoogroups.com>
Message-ID: <NDBBJBDJCGCKGDILPNNECEKLHGAA.junkmail@barnowl.com>
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Importance: Normal
From: "Junkmail Rosenberger" <junkmail@barnowl.com>
X-Yahoo-Profile: barnowlcom
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Thu, 7 Feb 2002 15:47:31 -0600
Subject: [iwar] AV software exploits on the horizon?
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Heads up.

The state of New York sued Network Associates, Inc. today for deceptive
practices.  To whit: NAI claims censorship rights over anything remotely
labeled as a "product review."  See
http://www.oag.state.ny.us/press/2002/feb/feb07a_02.html for details.

I agree strongly with NY's lawsuit.  HOWEVER, I wonder if the resulting PR
may finally bring attention to the many unacceptable vulnerabilities lurking
in AV software.  We must accept the fact AV exploits still sound like a "new
thing" to the world.  European virus expert Andreas Marx, for example,
realized the EIS exploits last year and published a paper in "Virus
Bulletin" before he ever learned of my work in this area.

If NY's lawsuit pours enough PR into the mainstream, it may spark a "hacker
reads, hacker talks, reporter writes, hacker reads, hacker talks, reporter
writes..." cycle.  This means we may finally see those attacks I fretted
about in 1999.

Forget the security holes for a moment.  Let's just talk about DoS attacks.
Marx feels many antivirus firms to this day overlook "DoS governors" for
their products despite my call for them in 1999.  We may finally see a
change if black hats start exploiting AV software vulnerabilities.


...This brings up an interesting question.  "What does Mr. Anti-Hysteria
think will happen?"  I'm glad you asked.

In the SHORT term, we may see one or two media-popularized attacks.
Ironically, such an attack will only work against those who protect
themselves with AV software.  I predict pavlovian AV users will (a) update
their products in typical panicky fashion and then (b) applaud vendors for
"quickly" offering "updates."  (Savvy vendors will label them "updates"
instead of "patches."  The term "quickly" will gloss over events in the
previous millennium.)

In the MID term, we may see a wave of AV software vulnerability alerts.
Mind you, we already *do* see such alerts, but the AV community in general
tends to keep them out of the limelight.  (Microsoft would kill for the
vulnerability secrecy enjoyed by AV vendors.)  We can suppose these alerts
will force no more updating than already occurs in the AV user community.
Remember: we currently advise people to update their AV software 52-365
times per year.

In the LONG term, pursuit of AV software vulnerabilities will lead to safer
AV software.  Open source OSs enjoy a serious degree of safety because so
many people look for security flaws.  Closed-source OSs like Microsoft
products grow safer every day for exactly the same reason.


...I'll wrap up by restating my major point.  I agree with NY's lawsuit
against NAI but I wonder if its PR will alert hackers to pursue AV software
vulnerabilities.

Rob


------------------------ Yahoo! Groups Sponsor ---------------------~-->
Sponsored by VeriSign - The Value of Trust
When building an e-commerce site, you want to start with a
secure foundation. Learn how with VeriSign's FREE Guide.
http://us.click.yahoo.com/kWSNbC/XdiDAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:03 PST