Race Conditions aka TOCTOU and now KHOBE

[tweetmeme source=”franscomputerservices” only_single=false]There is a ‘supposedly new’ threat on the horizon for Windows XP users, and more so on multi-core systems called KHOBE (Kernel HOok Bypassing Engine).

Although this is a threat, it is not a new threat — in fact, this type of thing has been a threat to computing since 1998 when it was written about in PDF format: RaceConditions.pdf, and in 1996 in this PDF: racecond.pdf and many times since then in articles online about TOCTOU (noted below in this posting).

It definitely sounds pretty bad when it is reported that this ‘new’ KHOBE can bypass EVERY Windows security product in an article by the respected Adrian Kingsley-Hughes at ZDNet Blogs and as reported and tested by MATOUSEC here. And it certainly isn’t a non-issue…

However, let’s look at this objectively. First this is not the first, last or only situation that has or will arise. Race Conditions as noted above have been created by TOCTOU (Time of check to time of use) situations since the dawn of computing and yes, they are not easy to test for in all situations/hardware prior to release of software/Operating Systems, but these types of conditions have been a potential threat for a very long time in all kinds of software.

A time-of-check-to-time-of-use bug (TOCTTOU − pronounced “TOCK too”) is a software bug caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check. It is a kind of race condition.

Before Windows was capable of true multi-tasking/multi-threading, it was possible to create these conditions on UNIX machines as noted in this 2001 article at InformationWorld.

So, why the fuss now? Windows 7 is basically claimed to be immune — by its omission in the ‘affected Windows Operating Systems’ list. Apparently only Windows XP (ONLY about 60% of Windows users –eeek! — per Adrian Kingsley-Hughes article above), or earlier Windows OSes are affected and in this particular case, and then only by security software that use the KHOBE (Kernel HOok Bypassing Engine).

Graham Cluely at his Sophos Blog notes,

Because KHOBE is not really a way that hackers can avoid detection and get their malware installed on your computer. What Matousec describes is a way of “doing something extra” if the bad guys’ malicious code manages to get past your anti-virus software in the first place.

In other words, KHOBE is only an issue if anti-virus products such as Sophos (and many others) miss the malware. And that’s one of the reasons, of course, why we – and to their credit other vendors – offer a layered approach using a variety of protection technologies.

In addition, Paul Ducklin’s Sophos blog notes,

The security panic of the week is the widely-reported story of a “vulnerability” called KHOBE. One news headline goes so far as to announce that this “new attack bypasses virtually all AV protection”.

I disagree.

The sample “attack”, which claims to be an 8.0 earthquake for desktop security software, describes a way in which the tamper protection implemented by some anti-malware products might potentially be bypassed. Assuming you can get your malicious code past the anti-malware product in the first place, of course.

Much more in his blog entry. All of these links are must read if you wish to understand as much as is possible what the real threat is.

So, given all this, is the game over on security software because this is now disclosed to be possible (READ: it was always possible) — at least till they figure out how to prevent Race Conditions in security software?

Hardly. But due to the release of the information, this situation may make life interesting security-wise for Windows XP users (earlier Windows OSes like Win2K, Win98, WinME, WinNT shouldn’t even be on the net at this point for many reasons, the least of which is this situation).

So, if you are a Windows user what can you do in the meantime?

  • Keep your systems up to date
  • Make sure you have a hardware NAT or SPI Firewall/Router on your local network, and a software firewall in place and working properly and updated (if it’s a third party firewall – Windows Firewall is updated with your Windows Updates)
  • Keep your browsers up to date
  • Keep your browser plugins (Adobe products, Apple products, Java, etc.) and extensions (like Firefox’s AdBlock Plus, etc.) up to date
  • Keep all Internet facing programs (Adobe, Microsoft, etc.) up to date
  • Run your CCleaner (or other Temporary Files/Temporary Internet Files cleaner program) frequently (I actually run mine several times a day) – Fully close any browsers before running your ‘cleaner’ and then re-open it as needed after you run the ‘cleaner’
  • Make sure your antivirus software is updating as it should and doing its scheduled scans
  • Update and Run any cleaner software and secondary anti-malware programs (like Malwarebytes Anti-malware) at least once a week or more often and immediately if something seems odd on your computer
  • Don’t open suspicious emails, even from known senders
  • Be careful where you go on the Internet. Even some legitimate sites have been hacked
  • Be careful about links and friends on Facebook (if you haven’t deactivated your account yet), Twitter, LinkedIn, and other Web 2.0/dynamic Social Networking sites.

In short, do what you should always be doing to keep yourself safe. Because this isn’t over. It was always a possibility whether we were aware or not, and it will likely be a possibility for a long time to come.

You might also consider installing a preventative program like BillP’s WinPatrol on your system to make you aware of potential changes to your system. *See EDIT below for a note from BillP about WinPatrol and kernel hooks.

And as I noted earlier, the focus of this issue, at this time, is apparently Windows XP, but any operating system is vulnerable to this type of attack and always has been — and that is not likely going to change any time soon.

EDIT: Added the following comment from BillP who developed WinPatrol:

* Thanks! I’m honored by the mention.
It’s a great topic and mentioning WinPatrol is appropriate since I don’t use any kernel hooking to detect changes. Thumbs Up!


Embedded PDF executable hack

[tweetmeme source=”franscomputerservices” only_single=false]Embedded PDF executable hack goes live in Zeus malware attacks (Ryan Naraine at ZDNet)

Yes, there has been a lot of coverage on Adobe Reader vulnerabilities, and this is no exception, and with good reason since this is being actively exploited.

This one is the same /launch vulnerability built into Adobe Reader that was being exploited to run malicious code. This one also comes via email, and the PDF has an embedded attachment within the document. The file is executable and if you run it, it will install the Zeus bot on your computer.

It’s no longer good enough to disable Javascripting alone. There is more needed to thwart this attack.

From the article:

Here are the instructions for mitigating a potential attack:

* Users can also turn off this functionality in the Adobe Reader and Adobe Acrobat Preferences by selecting > Edit > Preferences > Categories > Trust Manager > PDF File Attachments and clearing (unchecking) the box “Allow opening of non-PDF file attachments with external applications”

It is important to download PDF files from email rather than opening them directly from email, as with any attachment, so you can virus scan the file prior to opening it.

While you are in the Preferences, you might want to make sure Javascripting is turned off. And you might want to disable viewing PDF files in browser windows. There are times when that may be inconvenient, but it will keep you safer at least for now.

One way to keep PDF files from opening in browsers if you are using Firefox is to install the PDF Download Extension which allows you to download rather than open a PDF file in the browser. It also gives you a chance to determine if this is really what you want to do.

Oracle, Java and Security

[tweetmeme source=”franscomputerservices” only_single=false]Oracle, Java and Security … oh my!

Java bug exposes users to serious code-execution risk – Researchers disclose because Oracle won’t!

This zero day bug, which is in the Java Web Start (this is automatically added as an ‘extension’ in Firefox – which I always disable) has become a real problem. Here’s a quote from the article regarding the Researchers’ attempt to make Oracle understand the severity of this issue:

Both researchers stressed the ease in which attackers can exploit the bug using a website that silently passes malicious commands to various Java components that jump-start applications in Internet Explorer, Firefox, and other browsers. Ormandy said he alerted Java handlers in Oracle’s recently-acquired Sun division to the threat but “they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle.

(bold emphasis in the quote mine)

Merely disabling ActiveX or Firefox plugins isn’t enough because the toolkit is installed separately from Java. That means the only temporary fixes are browser specific for IE and Firefox and involve setting killbits or employing file system access control list features. (More about that here).

Or we could always just uninstall Java entirely until Oracle decides to protect their users.

That is a sad option since Secunia makes use of Java for it’s OSI (Online Software Inspector) which has become a very handy free tool for folks to keep up on the myriad of “Internet-facing” programs, plugins, missing Windows Updates, etc.

And of course, Weather.gov (for animated maps) and NASA/JPL use Java for many online projects. I would think they would want Oracle to rethink their position on this problem!

Plus, this is not just a Microsoft Windows Issue. The article also notes that this could affect Linux.

And from the sound of it, also Apple’s Mac OS; particularly since Apple is slow to upgrade Java on their OS platform, and they haven’t done an update for Java in a while for OS X Tiger at all.

What a mess. This issue with Java vulnerabilities, and how Oracle is handling it, may well provide a backdrop that opens up other concerns about Oracle’s stance on security related to their flagship products … things that maybe Oracle wouldn’t want folks to start thinking about…