Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Linux
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Begs a question: AV in Linux (correction)

from [Alan McKinnon] Network Security [Permanent Link]
Subject: Re: Begs a question: AV in Linux (correction)
Date: Wed, 8 Feb 2006 01:21:10 +0200 
On Monday, 6 February 2006 21:00, Eric Rostetter wrote:

Quoting blahblah@hotmail.com:

Although, you may want to run AV in linux for various reasons,
some misleading points were made:


Yes.


"If you run wine, zen, mach, vmware, or anything that runs or can
run windows (or another vulnerable OS), than you should run AV in
at least the virtual machine, and preferably in both linux and
virtual machine."

Is a little misleading:


As is your answer...


wine - Just because a windows exploit exists in windows, does not
mean it exists in wine. For example - if windows has a buffer
exploit somewhere in its dlls, that does not mean it will exist
in wine (and vice-versa). This is because the wine team is
re-implementing the windows API without looking at the windows
code, and the implementations will differ.


And as we just saw with the last big windows exploits, it _did_
exist in wine as well as windows.  So the fact is, wine will be
vulnerable to some of, but not all of, the same things as windows.


No that's not true. Perhaps you don't understand the nature of that 
specific problem. The WMF exploit took advantage of a broken 
algorithm. Wine reverse engineered the algorithm and thus it displays 
the same broken behaviour as the Microsoft original.

it is not possible to make general predictions about what will happen 
under an emulator, as it depends on the nature of the exploit, what 
the exploiting code is doing and how the underlying mechanism is 
implemented *for that architecture*.

Instead of wondering if wine is safe, which is a stupid question like 
"are cars safe?", we should rather look at specific exploits on their 
own merits and not try to lump problems into arbitrary groups and 
pretend that a specific case must apply to the general case


zen, mach, vmware - just because the "can" run windows does not
mean they "will" be running windows. If they aren't, don't
bother.


As I pointed out, this isn't a windows problem.  Viruses exists for
windows, Mac OS, windows products that run on other OS versions,
etc. So if you run any OS on there, or any product on there, that
is known to be virus friendly, then run an AV...


True. Just because one isn't aware of a current exploit for say any 
arbitrary *nix doesn't mean there will never be one. So AV is usually 
a good idea. But as always, the degree of defense has to be 
appropriate for the machine/data in question and the degree of 
threat.

Again, there's no one solution that fits all


"If you run openoffice, you are open to macro viruses and all the
same things that hit MS Office apps, and you should run an AV if
you don't want to be a hit by them, or spread them to others."

Not correct in the least - openoffice can't run word macros
(although you can chose to preserve them). Even if that
capability exists at some point, this statement is still flat
wrong - because the open office team would be re-implementing the
code, and the vulnerabilities in the windows implementation would
in all probability not exist in the open office implementation
(see the wine argument). Most likely they would just have
different vulnerabilities ;)


Can you prove this?  I don't believe it is true.  The one advantage
of OpenOffice is that it will not automatically run any macros like
MS Office did.  So you have to manually run the macro to get
infected.  But since most novice users will run anything sent to
them, this is only of limited value for a large number of novice
users.


Are we all missing the point about Office macros? They are *VBA* code, 
and require a VB runtime to execute. The fact that MS enabled them to 
run by default in some installations is completely irrelevant. The 
only thing that is important is what will happen when {user/OS} 
causes the code to run. No VB runtime = nothing will execute = no 
possible harm can be done (at least not in the universe I live in)

OpenOffice.org never runs VBA code. It does not have a VB runtime or 
anything approximating it. What it does have is StarBasic, an 
altogether different beast.


I know OpenOffice exluded some features of MS Office macros due to
security, but I don't think you can say they completely eliminated
macro virus usage in OpenOffice.


"True. But you can help spread them."
Bingo!
And that's why ClamAV was made!

Stu


-- 
Alan McKinnon
alan at linuxholdings dot co dot za
+27 82, double three seven, one nine three five
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Re: Begs a question: AV in Linux (correction), Eric Rostetter
Next by Date:  Kryptor Whitepaper released, angelo
Previous by Thread:  Re: Re: Begs a question: AV in Linux (correction), Eric Rostetter
Next by Thread:  Kryptor Whitepaper released, angelo
Indexes:  [Date] [Thread] [Top] [All Lists]