Jump to content
Sign in to follow this  
ePost

Secunia, Luka Milkovic and SAS

Recommended Posts

The security expert, Luka Milkovic, has reported some vulnerabilities in SUPERAntiSpyware. Now Secunia PSI reports SAS as insecure. Secunia PSI claims that an update is available at your homepage. But there is no update there. I run 4.34.1000. What's going on and what should I do?

Share this post


Link to post
Share on other sites

I think it's a mistake on both SAS and Secunia's behalf. It's reporting that 4.34.0.1000 is insecure. No such version of SAS exists. However, the number 4.34.0.1000. is mentioned in the GUI on SUPERAntiSpyware Control Center's Help page. Also the SAS .exe file in the programme folder shows 4.34.0.1000. So this is some sort of a false positive in Secunia PSI caused by a inconsistency in SAS's numbers. The number should be 4.34.1000, I believe. I found some of this mentioned in Secunia's forum....

Share this post


Link to post
Share on other sites

Luka contacted our company and has, what I believe, attempted to extort us over these "issues" - no one has EVER used any of these items to exploit ANYTHING in the real-world.

We altered our kernel drivers so that his test code would no longer have issues, and he simple re-reverse engineered the drivers to make his test "work" again - I have the original code and can provide that if necessary to show this fact.

NONE of the functions as described above can be accessed by "any" program unless the program is authenticated with our driver - Luka indicated he would NOT post the authentication scheme which he ripped from our program - without that, no other application can access our drivers - as we did not play into the potential extortion Luka has included that code for malware authors to exploit. As such, we are altering the authentication scheme as we do often to prevent potential exploits and hacking. As such, any piece of code, including that of the Windows Kernel has and will always be reverse engineered in time.

Luka results essentially are like saying "I put sand in the pistons of a motor and now it crashed/stopped running" - there is always a way to force ANY driver to crash from kernel mode - NONE of the items documented by Luka are real-world and have not been exploited in over 5 years of the drivers being downloaded over 30 million times.

It's unfortunate that a single user such as Luka, who likely has another agenda, are allowed to post code and hide behind the walls of the Internet - all Luka is doing is helping malware authors.

Share this post


Link to post
Share on other sites

My name is Luka Milkovic and yes, I reported certain vulnerabilities in SUPERAntiSpyware and Super Ad Blocker.

I'd first like to say that I have no interest in badmouthing SUPERAntiSpyware or Super Ad Blocker, I do not have a secret agenda, and wasn't specifically aiming SAS during my vulnerability resarches.

Share this post


Link to post
Share on other sites

My name is Luka Milkovic and yes, I reported certain vulnerabilities in SUPERAntiSpyware and Super Ad Blocker.

I'd first like to say that I have no interest in badmouthing SUPERAntiSpyware or Super Ad Blocker, I do not have a secret agenda, and wasn't specifically aiming SAS during my vulnerability resarches.

Luka - all you did is HELP MALWARE AUTHORS - I removed the rest of your post as you are further helping malware authors. You claimed you would not post the authentication method, and when I refused to give into your potential extortion, you posted it public with full code.

We are altering the drivers so this can't happen and I hope as a "supposed security expert" - you will not reverse engineer the next phase and post that to further help malware authors.

You illegally posted portions of our code and reverse engineered our software - as a "security expert" you should know that posting code public to help malware authors only HURTS the 30 million users of our product.

None of the items you posted can even be accessed without authentication - so they are NOT RELEVANT to anything - it's a private driver with private access.

The bottom line here is that you are HELPING MALWARE AUTHORS. If you are going to proclaim to be a security expert, then act like a professional - what you have done, is the equivelent of giving away the bank safe combination and then claiming anyone can steal the money - you are NOT acting like a security professional.

Share this post


Link to post
Share on other sites

I see you shortened my post and removed the most relevant parts. I'm sure you'll do it again, since it's your forum, your domain and you can do whatever you want. So much for being "professional"..

Luka - all you did is HELP MALWARE AUTHORS - I removed the rest of your post as you are further helping malware authors. You claimed you would not post the authentication method, and when I refused to give into your potential extortion, you posted it public with full code.

You're welcome to provide evidence where I was extorting you. I'm not going to repeat myself, since you removed most of my post, and you're probably going to do that again. I was not extorting you, I was not requesting details of your code. Certain procedure exists in security community, and I followed it very closely. You however failed to do that...

We are altering the drivers so this can't happen and I hope as a "supposed security expert" - you will not reverse engineer the next phase and post that to further help malware authors.

I hope you, as a "supposed security application vendor" will make secure and decent program this time.

You illegally posted portions of our code and reverse engineered our software - as a "security expert" you should know that posting code public to help malware authors only HURTS the 30 million users of our product.

If you have provided status updates and your mitigation plan, malware authors would only have information about OLD vulnerabilities which do not work on the new version. As a "security application vendor" you should know that cooperating with the security community is going to benefit you more than it's going to hurt you.

None of the items you posted can even be accessed without authentication - so they are NOT RELEVANT to anything - it's a private driver with private access.

Nick, you're mentioning your "authentication scheme" over and over again. I'll emphasize again that there are MANY applications (security related or not) without ANY "authentication scheme" which are VERY secure. Some of them have functionallity which is VERY similar to that of SAS, they don't use "authentication scheme" AT ALL and they are still very tight, very secure and very hard to exploit.

The bottom line here is that you are HELPING MALWARE AUTHORS. If you are going to proclaim to be a security expert, then act like a professional - what you have done, is the equivelent of giving away the bank safe combination and then claiming anyone can steal the money - you are NOT acting like a security professional.

You're basically saying that none of the authors that post regulary to Bugtraq and (more or less) to Full-disclosure are not acting like a security professionals..

If you're pretending to be a security application vendor, then act like one - I never had any problems during vulnerability reports, this is the first time I had difficulties and problems while reporting a vulnerability. If you're security application vendor, than be responsible and fix your product.

Have fun fixing your program and editing my post.

Share this post


Link to post
Share on other sites

Nick, you're mentioning your "authentication scheme" over and over again. I'll emphasize again that there are MANY applications (security related or not) without ANY "authentication scheme" which are VERY secure. Some of them have functionallity which is VERY similar to that of SAS, they don't use "authentication scheme" AT ALL and they are still very tight, very secure and very hard to exploit.

You are right, I am mentioning it as it's the KEY FACT here - most vendors don't bother to protect their drivers from being accessed by any program. We did protect our drivers so other products can't access them unless someone, such as a malware author (or "security professional" as you refere to yourself ), reverse engineers the code and then posts it to help other malware authors and hurt end users. NONE of your "potential issues" can even be accessed, nor exploited, without an application being authenticated - in basic terms for our end users - that means without the key, no one can enter the house. Surely you would be intelligent enough to understand this fact "Luka" - all functions in our driver are not accessible without authentication - PERIOD. You keep skipping that fact.

Our drivers will be altered yet again. All you have done is waste our valuable time where we could be fighting malware, but now we have to waste valuable resources changing our drivers because you illegally reverse engineered our code and posted it public. With all the crime, enconomic tough times and hurt in the world, it would seem that your time would be better spent HELPING instead of causing havoc and damage and further the success of malware authors.

Remember Luka - I have the e-mail where you clearly said you will NOT publish the authentication scheme to the driver, and thus none of the issues are actually issues - if you were truly interested in just helping in security, you would not have published that code - you were upset that we didn't bow to your demands and thus published the code.

Once we change the authentication scheme yet again, I ask, if you are truely interested in helping users and not harming them, that you do not publish the new techniques - why don't you turn your talents to helping others instead of harming?

Share this post


Link to post
Share on other sites

You are right, I am mentioning it as it's the KEY FACT here - most vendors don't bother to protect their drivers from being accessed by any program. We did protect our drivers so other products can't access them unless someone, such as a malware author (or "security professional" as you refere to yourself ), reverse engineers the code and then posts it to help other malware authors and hurt end users. NONE of your "potential issues" can even be accessed, nor exploited, without an application being authenticated - in basic terms for our end users - that means without the key, no one can enter the house. Surely you would be intelligent enough to understand this fact "Luka" - all functions in our driver are not accessible without authentication - PERIOD. You keep skipping that fact.

I'm very sad but somewhat not suprised to hear that you as a "supposed security vendor" are not familiar with the term defense (or security) in depth. This is one of the basic security principles when building secure systems. In a nutshell, security of a certain system must not be dependable on a single component whose failure would cause compromise of the system. Instead, security must be built in from the start and in each in every component.

That's exactly what you failed to provide.

You're entirely wrong when you say "most vendors don't bother to protect their drivers from being accessed by any program" - that's simply not true, at least for the drivers I mentioned in my previous post. Some security applications (I won't name them) have no authentication scheme, yet they are very secure, and their functionality is very similar to that of SAS. How is that possible? Because they use entirely different architecture/design and methods of reporting to user mode regarding critical functions, and don't have simple programming mistakes that your drivers do have.

And Nick (I won't put it into quotation marks), you're actually wrong about entire "all functions in our driver are not accessible without authentication - PERIOD" part. I'm sure you'll delete this part, but you'll read it anyway, so it's worth writing - what if someone injects a new thread in SAS process? Thread (i.e. code) would run in SAS context, thus being registered with the driver and could exploit all vulnerabilities I discovered. SAS does not prevent thread injection, at least not in free edition. Your "authentication scheme" is useless here, since that thread would come from an already registered process. Think about that, I think I gave you a valuable advice.

Our drivers will be altered yet again. All you have done is waste our valuable time where we could be fighting malware, but now we have to waste valuable resources changing our drivers because you illegally reverse engineered our code and posted it public. With all the crime, enconomic tough times and hurt in the world, it would seem that your time would be better spent HELPING instead of causing havoc and damage and further the success of malware authors.

I think I helped your customers more than you think. Since your "fixes" between versions were inadequate, and since you rejected my help, publication of my advisory is probably going to persuade you to fix your program correctly this time. I think the time was well spent.

Remember Luka - I have the e-mail where you clearly said you will NOT publish the authentication scheme to the driver, and thus none of the issues are actually issues - if you were truly interested in just helping in security, you would not have published that code - you were upset that we didn't bow to your demands and thus published the code.

Please, post here my e-mail where I "clearly said I will NOT publish the authentication scheme to the driver". I'm certain you won't be able to post it, since I never said that. I said that:

I somehow believe that informing the public about these

vulnerabilities is a greater good.

HOWEVER, I'm not going to release this advisory until we agree about

the release date, release type (full disclosure, short summary), etc.

As I mentioned previously, specific dates are a matter of our mutual

agreement, be it a month or more.

Since you failed to reply to my e-mail and were considering me a nuisance and extortioner, I changed my mind and published the advisory. I believe I had every right to do so, since you failed to follow procedure specified by the policy.

Once we change the authentication scheme yet again, I ask, if you are truely interested in helping users and not harming them, that you do not publish the new techniques - why don't you turn your talents to helping others instead of harming?

It would be great if you actually cared for your customers instead of caring only for your company - you never mentioned customers in your replies, and I believe they are the most affected ones, not your company.

Share this post


Link to post
Share on other sites

I'm very sad but somewhat not suprised to hear that you as a "supposed security vendor" are not familiar with the term defense (or security) in depth. This is one of the basic security principles when building secure systems. In a nutshell, security of a certain system must not be dependable on a single component whose failure would cause compromise of the system. Instead, security must be built in from the start and in each in every component.

That's exactly what you failed to provide.

You're entirely wrong when you say "most vendors don't bother to protect their drivers from being accessed by any program" - that's simply not true, at least for the drivers I mentioned in my previous post. Some security applications (I won't name them) have no authentication scheme, yet they are very secure, and their functionality is very similar to that of SAS. How is that possible? Because they use entirely different architecture/design and methods of reporting to user mode regarding critical functions, and don't have simple programming mistakes that your drivers do have.

And Nick (I won't put it into quotation marks), you're actually wrong about entire "all functions in our driver are not accessible without authentication - PERIOD" part. I'm sure you'll delete this part, but you'll read it anyway, so it's worth writing - what if someone injects a new thread in SAS process? Thread (i.e. code) would run in SAS context, thus being registered with the driver and could exploit all vulnerabilities I discovered. SAS does not prevent thread injection, at least not in free edition. Your "authentication scheme" is useless here, since that thread would come from an already registered process. Think about that, I think I gave you a valuable advice.

I think I helped your customers more than you think. Since your "fixes" between versions were inadequate, and since you rejected my help, publication of my advisory is probably going to persuade you to fix your program correctly this time. I think the time was well spent.

Please, post here my e-mail where I "clearly said I will NOT publish the authentication scheme to the driver". I'm certain you won't be able to post it, since I never said that. I said that:

Since you failed to reply to my e-mail and were considering me a nuisance and extortioner, I changed my mind and published the advisory. I believe I had every right to do so, since you failed to follow procedure specified by the policy.

It would be great if you actually cared for your customers instead of caring only for your company - you never mentioned customers in your replies, and I believe they are the most affected ones, not your company.

Posting the advisory did NOTHING to help anyone, except for yourself, that's it, period. You use terms such as "Denial of Service" and all the buzz words to get attention. Did you know that SUPERAntiSpyware has backup technology to fall back on even if the drivers don't exist? Probably not.

Again, WHAT IF, WHAT IF, WHAT IF - you are so desparate. ANY SYSTEM can be broken, ANYTHING can be hacked - NOTHING is EVER 100% "secure". That's the reality. You can create a driver with an INT 3 in it, or other code and blue screen a system in 2 seconds, WHAT IF, WHAT IF. Yes, there is ALWAYS a "WHAT IF" - ANY system can be made to do something it was not designed to if you "WHAT IF" it to death. As developers, especially in the security industry, we have to deal with "WHAT IS" because if we spent all our time "WHAT IF"ing we would never be able to release a product that helps 30 million users for FREE. We deal with real-world infections and have for the past 6 years - no infection that is wide spread has exploited anything in our product, or most other products - that's the REAL WORLD. I know you don't understand that - why don't you develop a product that helps users? Do you need a job? Ask us instead of simply wasting the worlds time. You have skills - so put them to positive use!

Luka, I feel for you, you are so deparate for recognition you have to waste peoples time by tearing apart systems and trying to break them and causing problems where there are no problems. When you contacted us, I wrote you back and indicated we were looking at your report - we contacted you back and we released updated drivers - that wasn't good enough for you for whatever reason.

As for our customers, we work day an night providing a 100% free product that actually scans and removes malware and we have advanced technology many times to deal with the latest threats - now we have a new "infection" to deal with - entitled "Trojan.Luka" - this one wastes time and redirects our developer resources from fighting malware to re-coding drivers.

All you have done here is waste the time of our developers, just to try so deparately to get your 15 minutes of "fame". Why not HELP the situation instead of helping MALWARE AUTHORS.

I hope once we release our new driver with new authentication you will not post that code - you have wasted enough time. You have your spotlight now, pat yourself on the back and move on - if you need a job, contact us, you have skills, maybe we can put you to some good use vs wasting time.

FYI : I am locking this thread in an effort to have Luka stop wasting our time.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...