exploitable RWX addresses : a new exploitable weakness

There is a new exploit http://www.ghacks.net/2015/12/10/check-whether-your-antivirus-is-vulnerable-to-explotable-rwx-addresses/

Tested on a real machine with the latest Comodo version and it is vulnerable. I know that we have a good sandbox (if you put this executable in untrust it can’t be executed), but, maybe, it is better to patch up the software.

What do you think, guys?

Tested it and it is not vulnerable !


That was with the newest Firefox 42.0 browser.

With Chrome it was vulnerable !

Security suites often fail to leak test or vulnerability as well test.

  1. It would be a “directed leaktest”?
  2. Why, when security suites are installed, the “leaktest” shows failures?
  3. Why without any protection (except UAC), the “leaktest” failure?
  4. We would be better protected only with installed windows?
  5. Why in real situations of threats, windows failure?

CIS is not vulnerable in a direct manner if that answers your question. :slight_smile:

What OS are you using?

Thank you.

I have looked at what it does with the HIPS. It tries to access executables in memory. Unknown programs are not allowed to do this with default settings of CIS.

Which is great, since Comodo can protect himself from zero-day attacks. But, if you read the original article (linked on the link i’ve posted) other products fixed this problem (try it with Windows Defender on Win 10 or 8.1 with no other security products installed on the system).

And no: other applications could be attacked, not only web browsers (they did web browsers because they are simplier to check)

So, will be possible for Comodo to fix this bug, or are there some problems for fixing this?

Original link: http://breakingmalware.com/vulnerabilities/sedating-watchdog-abusing-security-products-bypass-mitigations/
the checker on GitHub: GitHub - BreakingMalware/AVulnerabilityChecker: Tool to check if your computer is likely to be vulnerable to exploitable constant Read-Write-Execute (RWX) addresses (AVs vulnerability) (with the source code written in Python)

merlin86, are you considering virtualization in your scenario?

I ran it and it would not survive being virtualised. I must admit I am running a test version so not the latest stable version.

I would like you to report under what conditions there is a vulnerability. We fist need to establish if and how CIS would get bypassed. You have not provided us compelling evidence. Preliminary testing in this topic shows it’s not vulnerable. Please provide us with the necessary information.