Race Conditions aka TOCTOU and now KHOBE

[tweetmeme source=”franscomputerservices” only_single=false]There is a ‘supposedly new’ threat on the horizon for Windows XP users, and more so on multi-core systems called KHOBE (Kernel HOok Bypassing Engine).

Although this is a threat, it is not a new threat — in fact, this type of thing has been a threat to computing since 1998 when it was written about in PDF format: RaceConditions.pdf, and in 1996 in this PDF: racecond.pdf and many times since then in articles online about TOCTOU (noted below in this posting).

It definitely sounds pretty bad when it is reported that this ‘new’ KHOBE can bypass EVERY Windows security product in an article by the respected Adrian Kingsley-Hughes at ZDNet Blogs and as reported and tested by MATOUSEC here. And it certainly isn’t a non-issue…

However, let’s look at this objectively. First this is not the first, last or only situation that has or will arise. Race Conditions as noted above have been created by TOCTOU (Time of check to time of use) situations since the dawn of computing and yes, they are not easy to test for in all situations/hardware prior to release of software/Operating Systems, but these types of conditions have been a potential threat for a very long time in all kinds of software.

A time-of-check-to-time-of-use bug (TOCTTOU − pronounced “TOCK too”) is a software bug caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check. It is a kind of race condition.

Before Windows was capable of true multi-tasking/multi-threading, it was possible to create these conditions on UNIX machines as noted in this 2001 article at InformationWorld.

So, why the fuss now? Windows 7 is basically claimed to be immune — by its omission in the ‘affected Windows Operating Systems’ list. Apparently only Windows XP (ONLY about 60% of Windows users –eeek! — per Adrian Kingsley-Hughes article above), or earlier Windows OSes are affected and in this particular case, and then only by security software that use the KHOBE (Kernel HOok Bypassing Engine).

Graham Cluely at his Sophos Blog notes,

Because KHOBE is not really a way that hackers can avoid detection and get their malware installed on your computer. What Matousec describes is a way of “doing something extra” if the bad guys’ malicious code manages to get past your anti-virus software in the first place.

In other words, KHOBE is only an issue if anti-virus products such as Sophos (and many others) miss the malware. And that’s one of the reasons, of course, why we – and to their credit other vendors – offer a layered approach using a variety of protection technologies.

In addition, Paul Ducklin’s Sophos blog notes,

The security panic of the week is the widely-reported story of a “vulnerability” called KHOBE. One news headline goes so far as to announce that this “new attack bypasses virtually all AV protection”.

I disagree.

The sample “attack”, which claims to be an 8.0 earthquake for desktop security software, describes a way in which the tamper protection implemented by some anti-malware products might potentially be bypassed. Assuming you can get your malicious code past the anti-malware product in the first place, of course.

Much more in his blog entry. All of these links are must read if you wish to understand as much as is possible what the real threat is.

So, given all this, is the game over on security software because this is now disclosed to be possible (READ: it was always possible) — at least till they figure out how to prevent Race Conditions in security software?

Hardly. But due to the release of the information, this situation may make life interesting security-wise for Windows XP users (earlier Windows OSes like Win2K, Win98, WinME, WinNT shouldn’t even be on the net at this point for many reasons, the least of which is this situation).

So, if you are a Windows user what can you do in the meantime?

  • Keep your systems up to date
  • Make sure you have a hardware NAT or SPI Firewall/Router on your local network, and a software firewall in place and working properly and updated (if it’s a third party firewall – Windows Firewall is updated with your Windows Updates)
  • Keep your browsers up to date
  • Keep your browser plugins (Adobe products, Apple products, Java, etc.) and extensions (like Firefox’s AdBlock Plus, etc.) up to date
  • Keep all Internet facing programs (Adobe, Microsoft, etc.) up to date
  • Run your CCleaner (or other Temporary Files/Temporary Internet Files cleaner program) frequently (I actually run mine several times a day) – Fully close any browsers before running your ‘cleaner’ and then re-open it as needed after you run the ‘cleaner’
  • Make sure your antivirus software is updating as it should and doing its scheduled scans
  • Update and Run any cleaner software and secondary anti-malware programs (like Malwarebytes Anti-malware) at least once a week or more often and immediately if something seems odd on your computer
  • Don’t open suspicious emails, even from known senders
  • Be careful where you go on the Internet. Even some legitimate sites have been hacked
  • Be careful about links and friends on Facebook (if you haven’t deactivated your account yet), Twitter, LinkedIn, and other Web 2.0/dynamic Social Networking sites.

In short, do what you should always be doing to keep yourself safe. Because this isn’t over. It was always a possibility whether we were aware or not, and it will likely be a possibility for a long time to come.

You might also consider installing a preventative program like BillP’s WinPatrol on your system to make you aware of potential changes to your system. *See EDIT below for a note from BillP about WinPatrol and kernel hooks.

And as I noted earlier, the focus of this issue, at this time, is apparently Windows XP, but any operating system is vulnerable to this type of attack and always has been — and that is not likely going to change any time soon.

EDIT: Added the following comment from BillP who developed WinPatrol:

* Thanks! I’m honored by the mention.
It’s a great topic and mentioning WinPatrol is appropriate since I don’t use any kernel hooking to detect changes. Thumbs Up!

Bill

Advertisements

Apple, Microsoft, Adobe, Firefox, more

[tweetmeme source=”franscomputerservices” only_single=false]Finally getting back to this blog! Sheesh, time sure gets away from ya!

iPad

The iPad looks great! But…

Why couldn’t Apple have done a Mac OS X tablet! Mac OS X which really does just work but is still much more open than iPhone OS. I absolutely love my Mac, and I love my iPod Touch, but I wouldn’t want my iPod Touch’s iPhone OS on my Mac!

Apple’s new iPad coming soon and already introduced by Steve Jobs in the Keynote; but it is basically a tablet in the form of a larger iPod Touch. Including no Flash player still (but can you blame Apple for not including Flash – yes and no LOL!)? Also, apparently, including still only allowing single apps to run at a time?

Also playing games with eBooks and their customers and retailers, and basically saying that their fiddling will only mean that all eBooks will be the same price (albeit Apple’s higher pricing worked out by playing games with the publishers) — kinda a reversal of what they did with the music labels, by the way.

EDIT (added this paragraph): Speaking of single apps only at a time like the iPhone OS … I remember the Windows 7 Starter on netbooks which restricted users to 3 concurrent apps at a time and people were very upset about it. (Thanks to @Blair_42 for reminding me about it. We talked about this on the JimmyLee and Bambi Show Saturday night on CNIRadio, or JimmyLee and I talked about it before the show…will have to go back and listen to the show to be sure LOL!)

… all instead of a Mac OS X tablet that would be able to do so much more, and be more open than the TOTALLY closed environment of the iPhone OS.

Don’t get me wrong, I love my iPod Touch, but it is not the venue I would want for a tablet computer.

Microsoft

Security Garden reports;

Microsoft released thirteen security bulletins addressing twenty-six vulnerabilities. Windows is affected by eleven of the bulletins and older versions of Office by the remaining two bulletins. Of the bulletins, the following are rated as Critical: MS10-006, MS10-007, MS10-008, MS10-013, and MS10-015.

Much more in the Security Garden article.

But this is after next to nothing in January, mind you.

And Researchers warn of likely attacks against Windows, PowerPoint;

Hackers will jump on several of the bugs Microsoft patched today

And of course, there’s also The Windows 7 honeymoon is over as well.

Joy…Windows XP is long in the tooth, Vista is a total dud, and now the only contender for Windows is Windows 7. I personally love Windows 7, but it does have some oddities that are quite annoying.

Flash

Back to the part about no Flash on the iPad, as I say, who can blame Apple’s decision on Flash when you have things like Adobe screw-up leave Flash flaw unpatched for 16 months?

Firefox

Those that know me, know that I highly suggest that folks use Firefox due to the lack if Active-X and it’s related vulnerabilities, as well as the extension system which has been very helpful; NoScript, Adblock Plus, MyWOT, and so many more wonderful extensions.

But there is the recent concern about Firefox Add-ons Infected;

Perhaps you read the Mozilla blog at http://blog.mozilla.com/addons/2010/02/04/please-read-security-issue-on-amo/ where it was revealed that two add-ons for Firefox were infected with Trojans. In this case the distribution was very small, so not many users were infected, but this type of attack is likely to grow.

And then there is the outright annoyance of HTML 5 and NO H.264 support in Firefox 3.6

Just when HTML 5 is finally breaking ground…We have Firefox 3.6, which supports HTML 5, but which is also a step backward in compatibility with video sites?! Huh?!

What good is HTML 5 support in Firefox if they take away H.264 support?! I understand ADDING Ogg Theora support, but removing H.264 support?

I applaud YouTube, Vimeo, Blip.TV, etc. (hopefully Hulu too), for going to a more open standard like HTML 5 (instead of Flash) for their delivery method of their video content, but they are staying with the same H.264 codec for the videos themselves.

So, why would Firefox, at this particular juncture, remove the ability to play H.264 from Firefox so all their Firefox 3.6 users (even on a computer with the proper codecs installed) get greeted with this:

Firefox 3.6 and YouTube HTML 5 breakage

Or is Flash the ONLY way to get H.264 compatibility?! Which would really stink big time.

I predict, sadly that many will move from Firefox to other browsers as their main browser due to this major annoyance to browsers such as Google Chrome, or Safari who also support HTML 5 but also support H.264.

I am very disappointed about this. And the only way to get around this is what to stay with Firefox? Stay with Firefox 3.5.7? Brilliant move Mozilla. And this from a Firefox user who has been thrilled with Firefox all the way since before it was Firefox in the Beta days. *Sigh*

Me? I don’t know. For general surfing, Firefox with the security addons that I use and other addons that make life easier, I may stay with Firefox. But now I will have to look elsewhere for video rendering of H.264 on all the video sites?!

More…

Oh, and apparently there may be some malware that is currently corrupting DNS or redirecting results for any of the built-in or toolbar search engines in both Firefox and Internet Explorer.

I am not sure which combination appears to do it, but one client got hit by malware (and removed it with Malwarebytes Antimalware), and found that even after the malware was gone — and BTW the host file was clean — they would get misdirected to bogus sites if they used the built-in search engine for Google or use the Yahoo Toolbar in both Firefox or Internet Explorer. However, correct results would happen when going directly to the search engine website like google.com, ixquick.com or yahoo.com. Very interesting.

Buying a new computer? Here’s some great information from Bits from Bill Pytlovany (creator of WinPatrol — great program by the way!) and the article has nothing to do with buying or using WinPatrol. 😉

Here’s the lead in to his article over Bits from Bill blog:

Bits from Bill Pytlovany: Brand New Computer? Read Me First!

Did you think I was going to start out by telling you all to install WinPatrol as soon as you opened up your new computer? Guess again. I always try to write my articles from a different point of view and today may not be what you expect.

For the 2nd time I’ve had to return the Dell All-in-One Multi-Touch computer system that I’ve been dreaming about for months. The first unit had to go back because Dell shipped the wrong configuration. The 2nd system had to go back due to internal hardware failure. I should have known something was wrong when I could hear loose parts when I took the computer out of the box.

My point today is take a little time to insure your brand new computer is everything it should be or you may be sorry. Before you install your favorite software on your brand new system I have a few recommendations.

Great article.

The Bits from Bill blog also has some great posts. One in particular is Who Gets Your Personal Information on Facebook?

Well that’s enough for today, I think…

EDIT: Added inline edit about concurrent apps

Firefox 3.6 released

[tweetmeme source=”franscomputerservices” only_single=false]On January 21, 2010, Firefox 3.6 was released.

Full release notes and what’s new in Firefox 3.6 here.

Firefox now has what is called Personas. Some folks may enjoy them. I am not all that thrilled with that but maybe that’s because I don’t generally use alternate themes which is very similar.

Notable Firefox 3.6 features include:

  • Available in more than 70 languages – get your local version.
  • Support for a new type of theme called Personas, which allow users to change Firefox’s appearance with a single click.
  • Protection from out-of-date plugins to keep users safer as they browse.
  • Open, native video can now be displayed full screen and supports poster frames.
  • Improved JavaScript performance, overall browser responsiveness, and startup time.
  • The ability for web developers to indicate that scripts should run asynchronously to speed up page load times.
  • Continued support for downloadable web fonts using the new WOFF font format.
  • Support for new CSS attributes such as gradients, background sizing, and pointer events.
  • Support for new DOM and HTML5 specifications including the Drag & Drop API and the File API, which allow for more interactive web pages.
  • Changes to how third-party software can integrate with Firefox in order to prevent crashes.

Personally, I think that the biggest news is the HTML5 support.

Although there will be some growing pains, it will be very welcome news when the dust settles as it does with all major changes to HTML.

One of the lofty aims of HTML5 specifications is:

HTML5 aims to reduce the need for proprietary plug-in-based rich Internet application (RIA) technologies such as Adobe Flash, Microsoft Silverlight, and Sun JavaFX.

Although these technologies are free for users to view Flash content, etc., the cost to companies to make use of them can be very expensive indeed. If you have ever noted how expensive the Adobe Suite(s) are then you may already know what I mean.

Technologies like Flash, Silverlight and Java can be considered a combination of a container and delivery mechanism for presenting various types of file such as video and audio, etc. in a browser environment.

The video and audio codecs themselves used to present these files can vary. You can see audio files in mp3, m4a, wma, ogg, etc. audio formats, or video files in H.264, Windows Media, Ogg Theora, etc., video formats.

Patch arrives for IE hole targeted by Chinese – WindowsSecrets.com

[tweetmeme source=”franscomputerservices” only_single=false]Patch arrives for IE hole targeted by Chinese (WindowsSecrets.com newsletter comp link)

As of this writing, Microsoft is scheduled to release on Jan. 21 an update that fixes the Internet Explorer vulnerability behind the recent, highly publicized cyberattacks on Google and other major corporations.

Be sure to get your IE (Internet Explorer) update through Windows Updates.

If you have, or are using an older version (IE6 or IE7) of Internet Explorer — whether you use Internet Explorer as your default browser or not, make sure to get IE8 (Internet Explorer 8 ) from Microsoft’s website here. The Internet Explorer browser engine is used by many programs and by Windows, so it is very important to keep it updated.

Adrian Kingsley at ZDNet also has an article about the need to update your Internet Explorer browser to the latest version and answers the question whether to dump IE and to make sure you get other updates (Flash, etc.) that are equally important here.

I personally keep all my browsers updated to the latest version and all my Internet facing supporting programs like Flash, Java, Quicktime, etc. Even so, I generally use Mozilla Firefox as my default browser. I like the Extensions for Firefox that help make it more useful and secure.