I'm not a security expert. So I would like Agnitum release that
kernel hook unhooking proof of concept and let non-Agnitum
users test their products against it.
It could be an useful utility to disable kernel rootkits too.
As a rule of thumb Security is a tradeoff
between user-friendliness, speed and research.
There is no everlasting unchanging bulletproof security.
Security enforcing layers need to satisfy only one requisite:
They have to make difficut to compromise a system.
The difficulty could be research-wise or cpu-wise (i.e. resouce-wise)
So security layers are usually tailored on the target audience
common threats (i.e. threats pertaining a resouce-level range)
Chipering key lenght is choosen for example in a similiar fashion:
if it is needed to secure an x$ worth info, usually a k*x$ worth
resourcelevel keylenght is chosen.
There would be no need of such things like explicit backdoors
whereas faulty code or alike would have the same effects.
It would not be impossible for an average user to get infected
by a kernel rootkit so this would be something to be protected
from.
Kernel hooks have far more control of the system than usermode
hooks so I would share matousec view about avoiding usermode
hooks in non vista environments.
EDIT: I finally found out
Agnitum paper about kernel vs user hooks.
Their statement about usermode hooks granting realtime
interprocess communication monitoring is an interesting one.
This would be a good addition to kernel hooks
(in non vista x32 environments)
Agnitum has no vista-ready solution ATM.
Regarding Matousec disclousure policy I was not able to find a full
disclosure statement on their site to comment on but I think
we should consider three points:
1. Matousec didn't disclose all security vulnerabilities affecting Outpost.
2. Matousec didn't wait Agnitum to fix the vulnerability they inteded to freely disclose.
3. Matousec charges money to disclose most of the vulnerabilities they found.
1. It is a good policy, users are warned about potential vulnerabilities,
no details were given overall but Agnitum was warned they had to
check their code.
2. This is questionable. They grant 30 days to fix the vulnerabilities only
if the vendor
buys matousec analisys.
Public disclosure of a vulnerability details regarding Outpost Kernel hooks,
whitout letting unpaying vendors one month to fix it, is harsh.
If they wanted to make details publicly available the had to give
the details to Agnitum and wait a reasonable amount of time.
3. Nothing against charging money for a private disclosure of a security analisys.
Vendors take precedence and that is good. But not all parties should be able
to have such analisys paying or not, there should be a selection to prevent
malicious use of these vulnerabilities.
A public disclosure should grant full details to vendors and a resonable amount
of time to fix it. In these cases a compensation could be requested too but
should not be mandatory. If the vendor refuses It can make no excuse about
a blackmail attempt but Matousec has the right to make clear they received
no compensation for it.
A vulnerability exist with or without Matousec but making such information public
without some limitation is not a responsible action because it expose those
vulnerabilities to a wider number of malicious parties.
But we cannot assume that matousec was the only party able to find such
vulnerabilities...
Author