Hacker News new | ask | show | jobs
by xorcist 3831 days ago
It seems like whenever someone checks antivirus software for exploits (Black Hat in 2008, Google Project Zero 2015), they find them in droves.

Which isn't surprising, since most of the big vendors have very old code bases on which are piled many new parsers every year for documents, archives, whatever can contain code these days. The .doc parser in your antivirus isn't better than, say, the one in Libreoffice.

You should assume that your antivirus scanner is trivially exploitable. When you need to scan incoming files sandbox that scan as tight as you can.
2 comments
technion 3831 days ago
I had a recent conversation with a McAfee engineer regarding the use of MD5 in the whitelisting system. If it has "seen" an executable before, it assumes it clean and doesn't scan it, based on a hash.

He absolutely promised me that:

    * No stronger hash exists
    * MD5 collisions are literally impossible
I pointed him to a paper his own research department released, referring to the Flame malware utilising an MD5 collision, and he informed me he had previously looked at it, and it was a "typo" that he would get fixed.

This is a senior developer responsible for many of the design decisions in the product. It's frightening.

link
tptacek 3831 days ago
This is I think exactly correct.

It's always funny to see people suggest that security companies should somehow be better at secure code than other companies, as if narrowing the set intersection of possible programmers from "capable programmers" to "capable programmers who can quickly write lots of different file format parsers" somehow makes it easier to find "programmers with an intuitive knack for secure programming".

No. The more specialized your application domain, the harder it usually gets to source programmers who are also incredibly diligent.

Security companies as a general rule have poorer code quality than other companies.

link
xorcist 3831 days ago
That's one way to see it. I usually don't think about security in terms of individual programmers' capabilities but more what the company behind them wants to accomplish. Security should be a process. Compare the code coming out of Microsoft in 2000 with 2010 -- still not great perhaps, but what a difference a change in objective can make.

Antivirus programmers are paid to add new parsers. Not to assess the security implications of the software. The result is predictable. Sourcing competent programmers would make zero difference as long as they have no incentives to change their process.

link