[dba-Tech] AV product breaches

MartyConnelly martyconnelly at shaw.ca
Sun Feb 27 12:13:12 CST 2005


You can also approach this through hardware, I believe some IBM 
mainframes have had this for years
On desktop cpu's this method has several names. Microsoft has several 
names so does Intel and AMD.
This has to be checked before implementation in production environments.

See execute disable bit Win XP SP 2 enables it on 32 bit machines
http://www.intel.com/business/bss/infrastructure/security/flash.htm

One solution is to use Win XP SP2 and brand new Intel or AMD 32 bit 
chips with Execute Disable bit set
Right now it is only available in Intel Itanium Servers  and AMD Athalon 
64 bit servers.
http://www.intel.com/business/bss/infrastructure/security/xdbit.htm

What it does, is set apart pages of memory to be data only, so code 
cannot be executed from it.

http://www.intel.com/business/bss/infrastructure/security/flash.htm

On CPUs that support execution protection (NX) technology, Windows XP 
Service Pack 2 marks data pages non-executable. This feature of the 
underlying hardware prevents execution of code from pages marked in this 
way. This prevents attackers from overrunning a marked data buffer with 
code and then executing the code; it would have stopped the Blaster worm 
dead in its tracks. The only processor families that currently support 
NX are the 64-bit AMD K8 and Intel Itanium; however, Microsoft expects 
future 32-bit and 64-bit processors to provide hardware based execution 
protection.. In addition to supporting NX, Service Pack 2 implements 
sandboxing. All binaries in the system have been recompiled with buffer 
security checks enabled to allow the runtime libraries to catch most 
stack buffer overruns, and "cookies" have been added to the heap to 
allow the runtime libraries to catch most heap buffer overruns.

Steve Erbach wrote:

>John,
>
>FWIW, Jerry Pournelle has commented on his web site that all the focus
>on C++ over the years is reaping the whirlwind, so to speak. That is,
>with a more strongly typed language, there would be no such thing as
>buffer overflows. Do you or does anyone else here have a feel for
>that?
>
>Steve Erbach
>
>
>On Fri, 25 Feb 2005 15:45:06 -0600, John Bartow <john at winhaven.net> wrote:
>  
>
>>Just got this from Watchguard:
>>
>>Trend Micro AV Ushers Hackers Right In
>>
>>*
>><http://www.trendmicro.com/vinfo/secadvisories/default6.asp?VName=Vulnerabil
>>ity+in+VSAPI+ARJ+parsing+could+allow+Remote+Code+execution> Trend Micro's
>>ARJ Buffer Overflow Alert
>>
>>A similar thin ghappened to Symantec a couple weeks ago:
>>*        <http://xforce.iss.net/xforce/alerts/id/189> ISS X-Force's ARJ
>>Buffer Overflow Alert
>>
>>John B.
>>    
>>
>_______________________________________________
>dba-Tech mailing list
>dba-Tech at databaseadvisors.com
>http://databaseadvisors.com/mailman/listinfo/dba-tech
>Website: http://www.databaseadvisors.com
>
>  
>

-- 
Marty Connelly
Victoria, B.C.
Canada






More information about the dba-Tech mailing list