Comodo 某个官员的解释
Hello Guys,
No we are not vulnerable to this AppVerifier injection. Michael [from Cybellum] contacted us on this issue at our security response email, and we had a long discussion on the topic.
The claim was: Malware can use this registry key to inject arbitrary code into COMODO processes and hence disable the protection. DLL injection through AppVerifier registry keys has been around since Windows XP i.e. the last 10 years, and CIS [Comodo Internet Security], by default, protects these keys against malicious modifications already. Check the attachment CIS_protected.png. In order for the attack to be successful, malware has to write to this registry key, and CIS already protects against this by default. There are actually hundreds of similar ways of injecting into other processes, and I am not sure other AVs are even aware of them.
Most of the disagreement comes from not understanding how CIS layered defense works and assuming CIS is like the classical antivirus products mentioned in the original article. Nevermind protecting itself against such attacks, CIS protects EVERY other application against such attacks too.
For this attack to be successful, the malware author should be able to bypass CIS protection. CIS, by default, allows only whitelisted applications to modify such critical keys. Non-whitelisted applications will be either blocked or sandboxed, rendering the attack ineffective.
To his credit however, during our discussions with Michael[from Cybellum], another attack vector was disclosed to us. This can cause problems with default configuration so we will be addressing it with an update in April. We will be giving more details on it with the release. |
发表于 2017-3-23 00:45:06
