Anyone using the Online Armor firewall? At the moment I'm
using the free version, wondering if there's really any
reason to move to the paid version. What has your
experience been?

Also running NOD32 and various Spyware programs on a
regular, but not realtime, basis. Usually use Firefox with
NoScript - but I do need to use Outlook.

Louise

On Mon, 03 Dec 2007 23:50:09 -0500, louise <louise@invalid.invalid>
wrote:

>Anyone using the Online Armor firewall? At the moment I'm
>using the free version, wondering if there's really any
>reason to move to the paid version.

There's always the reason of wasting some money. I'm just wondering
what reason you've found for even using the free one. Please
elaborate.

>Also running NOD32 and various Spyware programs on a
>regular, but not realtime, basis.

Bad. Realtime is the only thing that at least provides *some*
protection. Scanning for malware is nonsense. BTW, malware of any kind
is mainly a user-introduced problem.

>Usually use Firefox with
>NoScript -

Not so bad.

>but I do need to use Outlook.

Not so good.

louise wrote:

> Anyone using the Online Armor firewall? At the moment I'm
> using the free version, wondering if there's really any
> reason to move to the paid version. What has your
> experience been?


Sorry, the paid version also includes known vulnerabilities that the vendor
is unwilling to fix.

> but I do need to use Outlook.

Then why are you even discussing about security?

Sebastian G. wrote:
> louise wrote:
>
>> Anyone using the Online Armor firewall? At the moment I'm using the
>> free version, wondering if there's really any reason to move to the
>> paid version. What has your experience been?
>
>
> Sorry, the paid version also includes known vulnerabilities that the
> vendor is unwilling to fix.
>
>> but I do need to use Outlook.
>
> Then why are you even discussing about security?

Perhaps I manage to run my machine more successfully than you.

I have been running Outlook since it came into existence and
I have never had my system crash from malware or an
infection. I generally use safe hex, I use a good spam
filter which works with Outlook and the only crashes I've
had is the occasional hard drive failure. And yes, I've had
backups.

I can discuss security even though I run a program known for
vulnerabilities - and if you can't - then you can't talk to
most of the population - why are you even reading this
newsgroup?

Louise

Straight Talk wrote:
> On Mon, 03 Dec 2007 23:50:09 -0500, louise <louise@invalid.invalid>
> wrote:
>
>> Anyone using the Online Armor firewall? At the moment I'm
>> using the free version, wondering if there's really any
>> reason to move to the paid version.
>
> There's always the reason of wasting some money. I'm just wondering
> what reason you've found for even using the free one. Please
> elaborate.
>
>> Also running NOD32 and various Spyware programs on a
>> regular, but not realtime, basis.
>
> Bad. Realtime is the only thing that at least provides *some*
> protection. Scanning for malware is nonsense. BTW, malware of any kind
> is mainly a user-introduced problem.
>
>> Usually use Firefox with
>> NoScript -
>
> Not so bad.
>
>> but I do need to use Outlook.
>
> Not so good.

It alerts me when processes run, when programs have changed
etc. - with an NAT router, it seems to provide some added
protection, perhaps it's not necessary.

The new version of NOD32 presents itself as AV and
AntiSpyware but most think the spyware component is weak.

I can't run SAS because they can't create an interface that
adjusts to customized font sizes on windows and I can't ever
see the controls to use them because the interface is
incomplete. This has been going on since its inception and
I've contacted Nick a few times. He recognizes the problem
but has not fixed the coding.

I am confused. Many on this ng seem What real time
anti'spyware would you recommend - something that doesn't
eat resources?

Thanks.

Louise

louise wrote:

> Sebastian G. wrote:
>> louise wrote:
>>
>>> Anyone using the Online Armor firewall? At the moment I'm using the
>>> free version, wondering if there's really any reason to move to the
>>> paid version. What has your experience been?
>>
>> Sorry, the paid version also includes known vulnerabilities that the
>> vendor is unwilling to fix.
>>
>>> but I do need to use Outlook.
>> Then why are you even discussing about security?
>
> Perhaps I manage to run my machine more successfully than you.


Bullshit. The most reasonable assumption in this case is that your system is
compromised.

> I have been running Outlook since it came into existence and
> I have never had my system crash from malware or an
> infection.


Which doesn't mean anything, since malware does intend to hide.

> I generally use safe hex,


Which is mutually exclusive with using Outlook.

> I can discuss security even though I run a program known for
> vulnerabilities - and if you can't - then you can't talk to
> most of the population - why are you even reading this
> newsgroup?


Well, you may discuss, but it's useless. As long as one unavoidable trivial
attack vector exists, it's no use securing any other part of the system -
the attacker will simply use this attack vector.

Sebastian G. wrote:

> louise wrote:
>
> > Anyone using the Online Armor firewall? At the moment I'm using
> > the free version, wondering if there's really any reason to move
> > to the paid version. What has your experience been?
>
>
> Sorry, the paid version also includes known vulnerabilities that the
> vendor is unwilling to fix.

What are these known vulnerabilities that the vendor is unwilling to
fix?
>
> > but I do need to use Outlook.
>
> Then why are you even discussing about security?
Its a security forum isnt it?
me





--

Sebastian G. wrote:

> louise wrote:
>
> > Sebastian G. wrote:
> > > louise wrote:
> > >
> > > > Anyone using the Online Armor firewall? At the moment I'm
> > > > using the free version, wondering if there's really any reason
> > > > to move to the paid version. What has your experience been?
> > >
> > > Sorry, the paid version also includes known vulnerabilities that
> > > the vendor is unwilling to fix.
> > >
> > > > but I do need to use Outlook.
> > > Then why are you even discussing about security?
> >
> > Perhaps I manage to run my machine more successfully than you.
>
>
> Bullshit. The most reasonable assumption in this case is that your
> system is compromised.
>
> > I have been running Outlook since it came into existence and I
> > have never had my system crash from malware or an infection.
>
>
> Which doesn't mean anything, since malware does intend to hide.
>
> > I generally use safe hex,
>
>
> Which is mutually exclusive with using Outlook.
>
> > I can discuss security even though I run a program known for
> > vulnerabilities - and if you can't - then you can't talk to most
> > of the population - why are you even reading this newsgroup?
>
>
> Well, you may discuss, but it's useless. As long as one unavoidable
> trivial attack vector exists, it's no use securing any other part of
> the system - the attacker will simply use this attack vector.

Ohh do shut up and stop trying to impress the ladies ;)
me

--

bassbag wrote:


>> Sorry, the paid version also includes known vulnerabilities that the
>> vendor is unwilling to fix.
>
> What are these known vulnerabilities that the vendor is unwilling to
> fix?


- buffer overflows in the kernel-mode driver due to lacking parameter validation
- runs a privileged service with 6 invisible windows, making it vulnerable
to shatter attacks

>>> but I do need to use Outlook.
>> Then why are you even discussing about security?
> Its a security forum isnt it?


Isn't. This is a Usenet newsgroup, not a forum.

"louise" <louise@invalid.invalid> wrote in message
news:5rk4jiF14predU1@mid.individual.net...
> Anyone using the Online Armor firewall? At the moment I'm using the free
> version, wondering if there's really any reason to move to the paid
> version. What has your experience been?
>
> Also running NOD32 and various Spyware programs on a regular, but not
> realtime, basis. Usually use Firefox with NoScript - but I do need to use
> Outlook.
>

I trialed that solution back in 2002 or 2003. I liked that pesonal FW
solution. At the time, it didn't have any snake-oil in it. I don't know what
it's got now.

Sebastian G. wrote:

> bassbag wrote:
>
>
> > > Sorry, the paid version also includes known vulnerabilities that
> > > the vendor is unwilling to fix.
> >
> > What are these known vulnerabilities that the vendor is unwilling to
> > fix?
>
>
> - buffer overflows in the kernel-mode driver due to lacking parameter
> validation - runs a privileged service with 6 invisible windows,
> making it vulnerable to shatter attacks

Can you provide links to this ,and also links to show that the vendor
is unwilling to fix this?

> > > > but I do need to use Outlook.
> > > Then why are you even discussing about security?
> > Its a security forum isnt it?
>
>
> Isn't. This is a Usenet newsgroup, not a forum.
Technically you are correct,though some folks actually use it to
discuss firewall security ,with the intention of helping other posters
me
--

bassbag wrote:


>> - buffer overflows in the kernel-mode driver due to lacking parameter
>> validation - runs a privileged service with 6 invisible windows,
>> making it vulnerable to shatter attacks
>
> Can you provide links to this ,and also links to show that the vendor
> is unwilling to fix this?


Sorry, the 30 days of disclosure time aren't over yet. At any rate, the
windows for the shatter attacks are trivial to see with Spy++.

> Technically you are correct,though some folks actually use it to
> discuss firewall security ,with the intention of helping other posters
> me


That's doesn't make the discussion any less pointless. What use is it to
secure the windows if the door is standing open?

On Dec 5, 12:28 pm, "Sebastian G." <se...@seppig.de> wrote:
> bassbag wrote:
> >> - buffer overflows in the kernel-mode driver due to lacking parameter
> >> validation - runs a privileged service with 6 invisible windows,
> >> making it vulnerable to shatter attacks
>
> > Can you provide links to this ,and also links to show that the vendor
> > is unwilling to fix this?
>
> Sorry, the 30 days of disclosure time aren't over yet. At any rate, the
> windows for the shatter attacks are trivial to see with Spy++.
>
> > Technically you are correct,though some folks actually use it to
> > discuss firewall security ,with the intention of helping other posters
> > me
>
> That's doesn't make the discussion any less pointless. What use is it to
> secure the windows if the door is standing open?

I wont take this discussion to far off topic I promise. i do however
have a question and a few statements.

There is no reason to debate how nonsecure or secure for that matter
any email client is. I ask anyone here what email client is
"completely" secure? For that matter the only secure computer/server/
or network that I have ever seen is the one that is turned off. Some
people might argue the point that any of the previous systems
mentioned are secureable as long as they are in a locked room with one
exit and one entry and not on the internet or connected to any other
type of public access point. After being part of this news group for
over a year now and having the chance to speak to a number of
extremely talented folks, I would bet there are quite a number of
people on this group who would be able to still steal your stuff.

So I ask why give people a hard time. If you can help then please do.
It will only make this group and those who read it stronger, more
educated people. If you cant help then why respond? Is it just so you
can flex a little muscle to give people a hard time.

Carma always wins!

..

Newbie72 wrote:


> There is no reason to debate how nonsecure or secure for that matter
> any email client is. I ask anyone here what email client is
> "completely" secure?


That's no point. Outlook has many *publically known* vulnerabilities that
Microsoft is *unwilling* to fix, and are *not securable otherwise* (that is,
any trial to detect an exploit would create a security issue itself). That
is, for Outlook any hope for security is already lost in first place,
whereas the real MUAs at least have a chance to be secure.

> So I ask why give people a hard time.

I don't, because at least at the mentioned things I'm not discussing with
arguments, but simply apply scientific conclusions (that is, stating facts).

If the system is already insecure in theory, then you can't get it secure in
the real world either. And as long as at least one part of the system is
insecure, all layers of the same security context also become insecure.

Even further, one should reasonably assume that at least one attacker
actually took the opportunity and hacked into your system silently, removed
all traces he could remove, and is continously hiding his presence.

Sebastian G. wrote:

> bassbag wrote:
>
>
> > > - buffer overflows in the kernel-mode driver due to lacking
> > > parameter validation - runs a privileged service with 6 invisible
> > > windows, making it vulnerable to shatter attacks
> >
> > Can you provide links to this ,and also links to show that the
> > vendor is unwilling to fix this?
>
>
> Sorry, the 30 days of disclosure time aren't over yet. At any rate,
> the windows for the shatter attacks are trivial to see with Spy++.

Are you referring to matousec or secunia advisorys?

> > Technically you are correct,though some folks actually use it to
> > discuss firewall security ,with the intention of helping other
> > posters me
>
>
> That's doesn't make the discussion any less pointless. What use is it
> to secure the windows if the door is standing open?

Thats true ,and why many prefer a lyered approach to security in case
one part fails.What security would you recommend using such as av
,firewall,hips (if any) etc and what would be your reasons?
me



--

bassbag wrote:

> Sebastian G. wrote:
>
>> bassbag wrote:
>>
>>
>>>> - buffer overflows in the kernel-mode driver due to lacking
>>>> parameter validation - runs a privileged service with 6 invisible
>>>> windows, making it vulnerable to shatter attacks
>>> Can you provide links to this ,and also links to show that the
>>> vendor is unwilling to fix this?
>>
>> Sorry, the 30 days of disclosure time aren't over yet. At any rate,
>> the windows for the shatter attacks are trivial to see with Spy++.
>
> Are you referring to matousec or secunia advisorys?


Hm? I haven't seen any of those ever discussing shatter attacks. But well,
Google is your friend. I for one only post public advisories on Bugtraq, if
the vendor fails to address the vulnerabilities appropriately.

> Thats true ,and why many prefer a lyered approach to security in case
> one part fails.


"Layered security" is a typical buzzword showing a misinterpretation of
"defense in depth". Vertically stacked independent layers with enforcable
security policies increase security, because breaking the system requires
breaking all intermediate layers. Horizontally side-by-side layers, as you
describe your system, decrease security, because exploiting just one layer
compromises all other layers in the same security context.

> What security would you recommend using such as av
> ,firewall,hips (if any) etc and what would be your reasons?


AV - none at all, since it doesn't even partially solve any problem and only
introduces new vulnerabilities. A plain virus scanner not using any
privileged service serving as a pure host-based intrusion detection system
might be beneficial,but typically not worth the effort. And it might also be
beneficial as a spam filter, but other kinds of spam filters are typically
much better.

Firewall - depends on your system. I'm quite happy with a small host-based
packet filter enforcing some ingress and egress filtering.

HIPS - are you nuts? An automated solution to DoS yourself...

Sebastian G. wrote:

> bassbag wrote:
>
> > Sebastian G. wrote:
> >
> > > bassbag wrote:
> > >
> > >
> > > > > - buffer overflows in the kernel-mode driver due to lacking
> > > > > parameter validation - runs a privileged service with 6
> > > > > invisible windows, making it vulnerable to shatter attacks
> > > > Can you provide links to this ,and also links to show that the
> > > > vendor is unwilling to fix this?
> > >
> > > Sorry, the 30 days of disclosure time aren't over yet. At any
> > > rate, the windows for the shatter attacks are trivial to see with
> > > Spy++.
> >
> > Are you referring to matousec or secunia advisorys?
>
>
> Hm? I haven't seen any of those ever discussing shatter attacks. But
> well, Google is your friend. I for one only post public advisories on
> Bugtraq, if the vendor fails to address the vulnerabilities
> appropriately.
>
> > Thats true ,and why many prefer a lyered approach to security in
> > case one part fails.
>
>
> "Layered security" is a typical buzzword showing a misinterpretation
> of "defense in depth". Vertically stacked independent layers with
> enforcable security policies increase security, because breaking the
> system requires breaking all intermediate layers. Horizontally
> side-by-side layers, as you describe your system, decrease security,
> because exploiting just one layer compromises all other layers in the
> same security context.

Can you give any software examples of vertically stacked independent
layers with enforcable security policies for the home user on a windows
OS?.
>
> > What security would you recommend using such as av
> > ,firewall,hips (if any) etc and what would be your reasons?
>
>
> AV - none at all, since it doesn't even partially solve any problem
> and only introduces new vulnerabilities. A plain virus scanner not
> using any privileged service serving as a pure host-based intrusion
> detection system might be beneficial,but typically not worth the
> effort. And it might also be beneficial as a spam filter, but other
> kinds of spam filters are typically much better.

Would you recommend that all users i.e new windows pc users, not use an
av or just those like yourself who has some knowledge
>
> Firewall - depends on your system. I'm quite happy with a small
> host-based packet filter enforcing some ingress and egress filtering.
>
> HIPS - are you nuts? An automated solution to DoS yourself...

possibly...


--

"bassbag" <bassbag@bodybags.dragon.wales> wrote in message
news:5s31l3F1739q5U1@mid.individual.net...


I have not seen your posts in a long time. How are you doing? Hey, I got
this clown in another NG that I must have trashed and burned a few years
back over BlackIce. I stopped using BlackIce and moved on long ago, but he
just brought-up BlackIce to me on unrelated issue. I must tell you that I
was rolling on the floor with laughter and was tickled. I must have wounded
the ol'boy badly, and his nose has been open from that point long ago. :)

bassbag wrote:


> Can you give any software examples of vertically stacked independent
> layers with enforcable security policies for the home user on a windows
> OS?.


Windows (NT 3.51,NT 4,2000, XP, Server 2003, Vista) itself is a C2
conformant system with granular descretionary access control. That is, when
you're running as a non-admin user, neither the user nor any program running
under his security context can compromise the data of other users or the
system. This access control is enforced by the Windows kernel and the page
protection mechanisms provided by the CPU.
Now add, f.e. MSIE being abused as a webbrowser. If someone successfully
subverts MSIE (which is actually trivial, since it was never supposed to be
secure on the net), he gains access to all data of the user and can run
arbitrary code in this context. However, this doesn't allow him to access
the data of other users.
Now, for some even more stupidity, add MSOE being abused as a newsreader.
Trivial to exploit as well. Now, if someone wants to break into the user
context, be can subvert MSIE *or* MSOE (or both). For gaining access to the
data of other users (or complete control of the system), he has to subert
MSIE/MSOE *and* the security mechanisms of Windows.

> Would you recommend that all users i.e new windows pc users, not use an
> av or just those like yourself who has some knowledge


I'd recommend them to not think that a virus scanner could address the virus
problem or any security issue, that is, being aware of its limitations. If
carefully used, it might serve as an intrusion detection system.

>> HIPS - are you nuts? An automated solution to DoS yourself...
>
> possibly...

Rather by design. Hint: IP spoofing

Sebastian G. wrote:

> bassbag wrote:
>
>
> > Can you give any software examples of vertically stacked independent
> > layers with enforcable security policies for the home user on a
> > windows OS?.
>
>
> Windows (NT 3.51,NT 4,2000, XP, Server 2003, Vista) itself is a C2
> conformant system with granular descretionary access control. That
> is, when you're running as a non-admin user, neither the user nor any
> program running under his security context can compromise the data of
> other users or the system. This access control is enforced by the
> Windows kernel and the page protection mechanisms provided by the
> CPU. Now add, f.e. MSIE being abused as a webbrowser. If someone
> successfully subverts MSIE (which is actually trivial, since it was
> never supposed to be secure on the net), he gains access to all data
> of the user and can run arbitrary code in this context. However, this
> doesn't allow him to access the data of other users. Now, for some
> even more stupidity, add MSOE being abused as a newsreader. Trivial
> to exploit as well. Now, if someone wants to break into the user
> context, be can subvert MSIE or MSOE (or both). For gaining access to
> the data of other users (or complete control of the system), he has
> to subert MSIE/MSOE and the security mechanisms of Windows.


Ahh i see..

> > Would you recommend that all users i.e new windows pc users, not
> > use an av or just those like yourself who has some knowledge
>
>
> I'd recommend them to not think that a virus scanner could address
> the virus problem or any security issue, that is, being aware of its
> limitations. If carefully used, it might serve as an intrusion
> detection system.

And thats cleared that up

> > > HIPS - are you nuts? An automated solution to DoS yourself...
> >
> > possibly...
>
> Rather by design. Hint: IP spoofing
Some poeple just cant take a hint.

Thank you for your time.
me


--

Mr. Arnold wrote:

>
> "bassbag" <bassbag@bodybags.dragon.wales> wrote in message
> news:5s31l3F1739q5U1@mid.individual.net...
>
>
> I have not seen your posts in a long time. How are you doing? Hey, I
> got this clown in another NG that I must have trashed and burned a
> few years back over BlackIce. I stopped using BlackIce and moved on
> long ago, but he just brought-up BlackIce to me on unrelated issue. I
> must tell you that I was rolling on the floor with laughter and was
> tickled. I must have wounded the ol'boy badly, and his nose has been
> open from that point long ago. :)

Hello D...
Hope things are fine with you.Yes it does suprise me how some folks
carry a "newsnet grudge" over the years...usually because thier opinion
is not shared by others.Ahh well lifes too short for that sort of
thing.Anyways hope you have a very happy christmas and new year !!
me
--

bassbag wrote:


>>>> HIPS - are you nuts? An automated solution to DoS yourself...
>>> possibly...
>> Rather by design. Hint: IP spoofing
> Some poeple just cant take a hint.

A HIPS' purpose is to detect attack patterns and block their source. Now
with IP spoofing I'll simply spoof a number of legitimate hosts, send some
of such attacks and the HIPS will block the legitimate hosts. Legitimate
hosts are all internal server, the gateway, your DNS server, legitimate
customers etc.

Sebastian G.;3357508 Wrote:
> bassbag wrote:
>
> [color=green]
> > What are these known vulnerabilities that the vendor is unwilling to
> > fix?
>
>
> - buffer overflows in the kernel-mode driver due to lacking parameter
> validation
> - runs a privileged service with 6 invisible windows, making it
> vulnerable
> to shatter attacks
>

Buffer overflow in the kernel mode driver is fixed long ago, you can
check it with bsodhook utility from Matousec. Though, the fact of a
buffer overflow doens't prove vulnerability, it proves just
insufficient parameters validation. In any case it is fixed which can
be easily checked by anybody.

As for the shatter attack. The fact there are invisible windows doesn't
mean vulnerability either. A program should be able to send the messages
to those windows, which is impossible in OA case. So there is not any
known vulnerability actually. I have found that exploit utility and
tested OA. Exploit failed. Low level debugging showed "access denied"
responce to the messages exploit tried to send to OA.

I'm OA beta teamer and I'm concerned about security, that is why I test
everything by myself.
===


--
alex_s
------------------------------------------------------------------------
alex_s's Profile: http://forums.techarena.in/member.php?userid=39234
View this thread: http://forums.techarena.in/showthread.php?t=864775

http://forums.techarena.in

alex_s wrote:


> Buffer overflow in the kernel mode driver is fixed long ago, you can
> check it with bsodhook utility from Matousec.


I fail to see how 'bsodhook' shall compete with the Driver Path Exerciser
tool from the Windows Driver Kit. The problem problem is within buffer size
vs. reported size, and a quick checkout clearly shows me that the most
recent version of "Online Armor Firewall" is still vulnerable.

> Though, the fact of a buffer overflow doens't prove vulnerability,


Of course it does, at least leading to a Denial of Service. However, this
specific instance is clearly exploitable.

> As for the shatter attack. The fact there are invisible windows doesn't
> mean vulnerability either. A program should be able to send the messages
> to those windows, which is impossible in OA case.


According to my analysis, it does work very well with WM_SETTEXT and WM_TIMER.

> I have found that exploit utility and tested OA. Exploit failed.


That's why serious people write their own exploits.

Sebastian G.;3443166 Wrote:
> alex_s wrote:
>
>
> > Buffer overflow in the kernel mode driver is fixed long ago, you can
> > check it with bsodhook utility from Matousec.
>
>
> I fail to see how 'bsodhook' shall compete with the Driver Path
> Exerciser
> tool from the Windows Driver Kit.This is great utility, actually. Many-many long-existing vendors were
defeated by this simple tool. This tool tests all the kernel hooks in
all the possible ways, including faked and compeltely wrong
parameters.
Sebastian G.;3443166 Wrote:
>
> The problem problem is within buffer size
> vs. reported size, and a quick checkout clearly shows me that the most
> recent version of "Online Armor Firewall" is still vulnerable.
>
OK. This is well may be, but this is something new, so in no case may
be called "known vulnerability". I'll check it, though.
Sebastian G.;3443166 Wrote:
>
>
> > Though, the fact of a buffer overflow doens't prove vulnerability,
>
> Of course it does, at least leading to a Denial of Service. However,
> this
> specific instance is clearly exploitable.
>
Have you ever reported this to the vendor ? And what was an answer ?
Sebastian G.;3443166 Wrote:
>
>
>
> > As for the shatter attack. The fact there are invisible windows
> doesn't
> > mean vulnerability either. A program should be able to send the
> messages
> > to those windows, which is impossible in OA case.
>
>
> According to my analysis, it does work very well with WM_SETTEXT and
> WM_TIMER.
>
> > I have found that exploit utility and tested OA. Exploit failed.
>
>
> That's why serious people write their own exploits.

Can you publish your own exploit that anybody could use it ? I just
doubt your words, sorry.


--
alex_s
------------------------------------------------------------------------
alex_s's Profile: http://forums.techarena.in/member.php?userid=39234
View this thread: http://forums.techarena.in/showthread.php?t=864775

http://forums.techarena.in

alex_s <alex_s.32xa7e@donotspam.com> wrote:
> Sebastian G.;3357508 Wrote:
>> - runs a privileged service with 6 invisible windows, making it
>> vulnerable
>> to shatter attacks
[...]
> As for the shatter attack. The fact there are invisible windows doesn't
> mean vulnerability either.

If a privileged system service opens windows at all, then this is a
security breach.

Please have a look at:

http://support.microsoft.com/?scid=kb%3Ben-us%3B327618

Shatter attacks are only one of many threats here.

Yours,
VB.
--
The file name of an indirect node file is the string "iNode" immediately
followed by the link reference converted to decimal text, with no leading
zeroes. For example, an indirect node file with link reference 123 would
have the name "iNode123". - HFS Plus Volume Format, MacOS X

Volker Birk;3448494 Wrote:
>
> If a privileged system service opens windows at all, then this is a
> security breach.This is completely true when applies to _REGULAR_ service. But when it
comes to _SPECIAL_ service which _MUST_ protect other applications and
services, do you think it cannot protect itself in the first place ?

Let me explain. The problem with WM_SETTEXT and WM_TIMER messages was
discovered long ago and is well known as Shatter attack. Once specially
formatted message was sent to the target service and was processed by
_DEFAULT_ wndproc, YES, there is a way to inject your code in hte
services's context.

But. If only service is developed with knowing of the nature of this
attack it can handle those messages in special way. For one it can
detect (using regular windows API) the source of a message and
depending on this either process it or not. This can be done by ANY
regular service. And when it comes to SPECIAL service, which controls
system resources at the lowest possible level (RING 0 is meant here)
there is not a problem to just laugh at this poor attempt to compromise
security which OA succesfully does and which was proved by people who
understand what do they do.

I can bet, nobody can sucessfully run Shatter attack against OA.
I have read much of the attack and I have tried to run it myself
against OA.
There is just no way to send to OA service unauthorized message,
because OA fully and globally controls windows message queue.


--
alex_s
------------------------------------------------------------------------
alex_s's Profile: http://forums.techarena.in/member.php?userid=39234
View this thread: http://forums.techarena.in/showthread.php?t=864775

http://forums.techarena.in

alex_s;3448719 Wrote:
> There is just no way to send to OA service unauthorized message, because
> OA fully and globally controls windows message queue.
And that is to say this is equally valid not only for OA service, but
for any OA related program, including OAui and scanningprocess and
whatever it starts to provide security tasks.

And please, do not regard OA developers to be so silly not to handle
such a well known issue in a safe way.


--
alex_s
------------------------------------------------------------------------
alex_s's Profile: http://forums.techarena.in/member.php?userid=39234
View this thread: http://forums.techarena.in/showthread.php?t=864775

http://forums.techarena.in

alex_s <alex_s.330tzf@donotspam.com> wrote:
> Volker Birk;3448494 Wrote:
>> If a privileged system service opens windows at all, then this is a
>> security breach.
>
> This is completely true when applies to _REGULAR_ service. But when it
> comes to _SPECIAL_ service which _MUST_ protect other applications and
> services, do you think it cannot protect itself in the first place ?
>
> Let me explain. The problem with WM_SETTEXT and WM_TIMER messages was
> discovered long ago and is well known as Shatter attack. Once specially
> formatted message was sent to the target service and was processed by
> _DEFAULT_ wndproc, YES, there is a way to inject your code in hte
> services's context.
>
> But. If only service is developed with knowing of the nature of this
> attack it can handle those messages in special way.

If the service were developed by people knowing about the nature of this
kind of attacks it wouldn't have windows attached to it in the first
place. There is no (in words "no") valid reason for a service to be
running interacitvely with elevated privileges. If you need a
configuration frontend for that service: write a frontend program that
runs with user privileges and communicates with the service through
appropriate channels (sockets, named pipes, whatever).

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

alex_s <alex_s.330zjd@donotspam.com> wrote:
> And please, do not regard OA developers to be so silly not to handle
> such a well known issue in a safe way.

This kind of issue should be "handled" by entirely avoiding it in the
first place. Doing anything else will rightfully be considered plain and
utterly stupid.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Ansgar -59cobalt- Wiechers;3448997 Wrote:
> alex_s <alex_s.330zjd@donotspam.com> wrote:
> > And please, do not regard OA developers to be so silly not to handle
> > such a well known issue in a safe way.
>
> This kind of issue should be "handled" by entirely avoiding it in the
> first place. Doing anything else will rightfully be considered plain
> and
> utterly stupid.
> I'm not sure they do care much about invalid considerations, I think
they do care about practical results. And practically nobody still
succeeded to prove they are wrong. Until somebody succeed all the other
talks are just fairy tails of nothing and commonplace speculations.

I can't resist to remember another fairy tail. Well known mr. Matousec
forced many security vendors to believe that usermode hooks is "no-no"
in security s/w. As a PoC he has published his FPR utility and claimed
it unhooks all the usermode hooks of all the tested programs. Being
sceptical about any claims I took this FPR, I took the set of Matousec
tests and run it myself. Oops, FPR v3 failed to unhook OA usermode
hooks (not all of them, but those only that serve as a helper security
level in HIPS, CreateProcess and LoadLibrary) for ALL the tests. (To
avoid misinterpreting I must add that OA has corresponding kernel hooks
NtCreateProcessEx etc as the main protection level and uses usermode
only to inform user faster and in more detailed way about what does
happen, for example there is no way in NtCreateProcessEx to get
commandline parameters just because this memory block is not setup by
the system at this moment).

And now why was I sceptical about Matousec claim.

His main idea is "in its own memory application can do whatever it
wishes and that is why usermode hooks can be unhooked in any case".
Sounds quite reasonable, isn't it ? But this is not all the truth that
must be taken in account. Another piece of truth is "to do anything in
its own memory application must know what to do". To unhook usermode
hooks application must know the addresses of the original functions. To
get those addresses application must request some additional system
resources (for example dll file that hosts original API function). But
in case appilication is denied to get this resource (and security
software that is deeply integrated into the system can surely restrict
any system resource for the usermode apllication) it will not be able
to unhook usermode hooks.

Coming back to avoiding something. I'd beware you from the too fast
judgements. I saw many times people who judged fast was then very sorry
about it. The fact you don't see the reasons doesn't mean there are not
any. I can't say what considerations brought them there where they are,
but I can judge the practical results (and I do it without extra words
and fake considerations). My practical results with OA are excellent.
There was some real (proved and reproducable) security issues found
during betatesting, but all of them were fixed withing a couple of days
after they were reported. Though, I don't remember that "commonplace
considerations" were taken them too seriously. And this outdated
shatter idea which first appeared when such a word as "HIPS" didn't
even exist, can not be taken seriously today. This is not IMHO, this is
my strong practical knowledge.


--
alex_s
------------------------------------------------------------------------
alex_s's Profile: http://forums.techarena.in/member.php?userid=39234
View this thread: http://forums.techarena.in/showthread.php?t=864775

http://forums.techarena.in

alex_s wrote:

> Volker Birk;3448494 Wrote:
>> If a privileged system service opens windows at all, then this is a
>> security breach.This is completely true when applies to _REGULAR_ service. But when it
> comes to _SPECIAL_ service which _MUST_ protect other applications and
> services, do you think it cannot protect itself in the first place?


This only applies to non-broken concepts.

> Let me explain. The problem with WM_SETTEXT and WM_TIMER messages was
> discovered long ago and is well known as Shatter attack. Once specially
> formatted message was sent to the target service and was processed by
> _DEFAULT_ wndproc, YES, there is a way to inject your code in hte
> services's context.


So then why does Online Armor Firewall use the DefaultWnfProc?

> But. If only service is developed with knowing of the nature of this
> attack it can handle those messages in special way. For one it can
> detect (using regular windows API) the source of a message


Which shows that you have obviously no clue.

> And when it comes to SPECIAL service, which controls
> system resources at the lowest possible level (RING 0 is meant here)


This service doesn't run at ring0.

alex_s <alex_s.3317ve@donotspam.com> wrote:
> Ansgar -59cobalt- Wiechers;3448997 Wrote:
>> alex_s <alex_s.330zjd@donotspam.com> wrote:
>>> And please, do not regard OA developers to be so silly not to handle
>>> such a well known issue in a safe way.
>>
>> This kind of issue should be "handled" by entirely avoiding it in the
>> first place. Doing anything else will rightfully be considered plain
>> and utterly stupid.
>
> I'm not sure they do care much about invalid considerations,

Look, I'll make this simple for you to understand: there's no point at
all in solving a problem, when you can avoid it entirely.

That's what security is all about: defensive approaches. You try to
avoid problems in the first place, and try to solve only those problems
you cannot avoid. You may want to explain what would be invalid about
this consideration.

It's utterly stupid to put yourself in danger first (for no good reason,
mind you), and then defend yourself from the dangers you needlessly put
yourself into.

> And practically nobody still succeeded to prove they are wrong. Until
> somebody succeed all the other talks are just fairy tails of nothing
> and commonplace speculations.

That's entirely besides the point. I would never trust my security to
anyone who disregards basic principles of security for no apparent
reason, no matter how brilliant their code may be. Nor would I recommend
any such product to anyone else.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Michael Niederer wrote:

> Matousec forced many security vendors to believe that usermode hooks is

> "no-no" in security s/w.

Matousec forced no one, except me to laugh.

> Oops, FPR v3 failed to unhook OA usermode hooks

Then again, just the existence of these hooks is proof enough how broken OA is.

> (To avoid misinterpreting I must add that OA has corresponding kernel
> hooks NtCreateProcessEx

There is no misinterpretation: OA is obviously broken.

> His main idea is "in its own memory application can do whatever it
> wishes and that is why usermode hooks can be unhooked in any case".
> Sounds quite reasonable, isn't it ?


And it's trivially true.

> To unhook usermode hooks application must know the addresses of the

> original functions. To get those addresses application must request some
> additional system resources (for example dll file that hosts original API
> function).

The original DLL is already loaded within KeLoadImage().

> But in case appilication is denied to get this resource

Nonsense. A simple ReadFile() already does the job. Anyway, one doesn't need
it anyway, since you can link all required functions statically.

> it will not be able to unhook usermode hooks.

Well, of course it can. Just overwrite the relevant memory section. If not,
then it's a bug.

> My practical results with OA are excellent.


Considering how enormously broken it is, this shows clearly how incompetent
you are for judging security-relevant results.

> There was some real (proved and reproducable) security issues found
> during betatesting, but all of them were fixed withing a couple of days
> after they were reported.


However, some major bugs like f.e. blocking various legitimate device
drivers, haven't been fixed.

> And this outdated

> shatter idea which first appeared when such a word as "HIPS" didn't
> even exist, can not be taken seriously today.


Maybe I just misunderstood what you wrote, but isn't "HIPS" exactly one of
the most unserious things?

Ansgar -59cobalt- Wiechers;3449609 Wrote:
>
> That's entirely besides the point. I would never trust my security to
> anyone who disregards basic principles of security for no apparent
> reason, no matter how brilliant their code may be. Nor would I
> recommend
> any such product to anyone else.It's OK. You are free to do whatever you wish. I'm not a promoter, I
just don't like when people blame something that works correct to be
working incorrect. I have not a smallest intention to change your
principle, even I regard them completely wrong. Here it was said that
OA is vulnerable to the shatter attack. This is not true. And this is
all I wanna say.


--
alex_s
------------------------------------------------------------------------
alex_s's Profile: http://forums.techarena.in/member.php?userid=39234
View this thread: http://forums.techarena.in/showthread.php?t=864775

http://forums.techarena.in

alex_s <alex_s.330tzf@donotspam.com> wrote:
> Volker Birk;3448494 Wrote:
>> If a privileged system service opens windows at all, then this is a
>> security breach.
> This is completely true when applies to _REGULAR_ service. But when it
> comes to _SPECIAL_ service which _MUST_ protect other applications and
> services, do you think it cannot protect itself in the first place ?

After all what I had to see, I would think so exactly, yes. There is no
single reason for a privileged service to open windows, so only muppets
are doing so.

> I can bet, nobody can sucessfully run Shatter attack against OA.

I don't know, and I'm not interested in at all. I'm not talking about
shatter attacks here.

Yours,
VB.
--
The file name of an indirect node file is the string "iNode" immediately
followed by the link reference converted to decimal text, with no leading
zeroes. For example, an indirect node file with link reference 123 would
have the name "iNode123". - HFS Plus Volume Format, MacOS X

alex_s <alex_s.330zjd@donotspam.com> wrote:
> And please, do not regard OA developers to be so silly not to handle
> such a well known issue in a safe way.

If they're opening windows from a privileged system service, than
"silly" is an euphemism.

They have no f*cking clue of Windows and security, if they're doing so.

Yours,
VB.
--
The file name of an indirect node file is the string "iNode" immediately
followed by the link reference converted to decimal text, with no leading
zeroes. For example, an indirect node file with link reference 123 would
have the name "iNode123". - HFS Plus Volume Format, MacOS X

alex_s <alex_s.331izd@donotspam.com> wrote:
> Ansgar -59cobalt- Wiechers;3449609 Wrote:
>> That's entirely besides the point. I would never trust my security to
>> anyone who disregards basic principles of security for no apparent
>> reason, no matter how brilliant their code may be. Nor would I
>> recommend any such product to anyone else.
>
> It's OK. You are free to do whatever you wish. I'm not a promoter, I
> just don't like when people blame something that works correct to be
> working incorrect. I have not a smallest intention to change your
> principle, even I regard them completely wrong.

You still have to give a single reason why that would be. You also
failed to answer my question what IYHO were invalid about considering
defensive approaches to security.

> Here it was said that OA is vulnerable to the shatter attack.

No. Volker said that shatter attacks are a *threat*. Which is absolutely
true.

Opening windows from a service running with elevated privileges makes
the service *potentially* vulnerable to shatter attacks. Whether there
is or isn't a known vulnerability doesn't change anything about the
threat being there.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich