Serious Discussion Three Unpatched Vulnerabilities Plague Comodo. Documented Online.

[Parkinsond]

Enjoy the uncut scenes from Game of Thrones... Parkinsond Targaryen's fearless dragon, Progon... Pracarys... !

Already watching for the second time right now

 

[Parkinsond]

Never watched GOT so don’t really understand any of that

Must watch; an epic TV series.

 

[Andy Ful]

So search order hijacking depends on have their malicious DLL in the PATH var ?

No.

So I made every PATH dir non-writable. Or did I mis-understood what search order hijacking means ?

The default search order for DLLs loaded by unpackaged applications is as follows:

1. DLL Redirection.
2. API sets.
3. SxS manifest redirection.
4. Loaded-module list.
5. Known DLLs.
6. Windows 11, version 21H2 (10.0; Build 22000), and later. The package dependency graph of the process. This is the application's package plus any dependencies specified as <PackageDependency> in the <Dependencies> section of the application's package manifest. Dependencies are searched in the order they appear in the manifest.
7. The folder from which the application loaded.
8. The system folder. Use the GetSystemDirectory function to retrieve the path of this folder.
9. The 16-bit system folder. There's no function that obtains the path of this folder, but it is searched.
10. The Windows folder. Use the GetWindowsDirectory function to get the path of this folder.
11. The current folder.
12. The directories that are listed in the PATH environment variable. This doesn't include the per-application path specified by the App Paths registry key. The App Paths key isn't used when computing the DLL search path.

The attackers usually abuse points 7 and 8. The PATH environment variable is searched at the end, so usually it does not matter at all.

 

[Trident]

The PATH environment variable is searched at the end, so usually it does not matter at all.

It’s not to be under-estimated, many applications rely on third-party libraries. If the developer assumes that these libraries are just there, they are lazy to go down the correct path but rather prefer the quick one, it is possible to abuse the environmental paths too.

The executable/process will then find the malicious DLL. These are corner cases but I wouldn’t be surprised if they are happening.

 

[piquiteco]

I didn't get you.

I was just joking when I described above how to mitigate this vulnerability in Comodo. That's superfluous.

I prefer Comodo with minimal tweaks. Configuring Comodo is troublesome; for example, enabling scripts makes it kinda impossible to whitelist some files. I can strengthen Comodo with some advanced configurations, but the proactive configuration and some tweaks are sufficient for my usage. Anyway, I'm enjoying H_C Tools and may permanently switch to them.

Yes, that's right, you're correct. Comodo can't be too aggressive, otherwise it ends up blocking things it shouldn't. That's right, using H_C Tools together with MD is more than enough. As an experienced user, you won't have problems with malware so easily. Unfortunately, after this CVE disclosure, it becomes complicated to use CIS/CF since the vulnerability has become public.

Yes, Eazy Fix, a snapshot program similar to RollBackRx.

So don't worry about it, Eazy Fix and RollBackRx take seconds to restore to a clean snapshot. It's faster than restoring a backup image.

 

[Andy Ful]

It’s not to be under-estimated, many applications rely on third-party libraries. If the developer assumes that these libraries are just there, they are lazy to go down the correct path but rather prefer the quick one, it is possible to abuse the environmental paths too.

The attacker can abuse all possibilities. However, making the locations included in the PATH environment variable non-writable cannot help in most cases.
Abusing PATH is most often done by adding a custom location controlled by the attacker.

 

[Trident]

The attacker can abuse all possibilities. However, making the locations included in the PATH environment variable non-writable cannot help in most cases.
Abusing PATH is most often done by adding a custom location controlled by the attacker.

Someone else suggested making paths non-writeable.

 

[rashmi]

So don't worry about it, Eazy Fix and RollBackRx take seconds to restore to a clean snapshot. It's faster than restoring a backup image.

Yes, EF and RBX restore within seconds, but these are inherently risky software. Both are excellent for testing software because of their speedy snapshots and restores compared to other options.

 

[Victor M]

Question: If I disable app update plus disable signature updates. ( since app is unmaintained, and their av is hopelessly inadequate )
Then one would not be affected by the dns vuln and the 2 manifest vuln's mentioned in post #1.

Then, mark Kaspersky Labs as untrusted in File Rating>Vendors as suggested by Andy Ful to bypass his attack.

Then set Untrusted AutoContainment rules to Block instead of Run Virtually, as mentioned in CIS was obliterated by an exploit.

In addition, disable the av and use Windows Defender.



I stand to gain proven strong auto-containment (shadowra test) and a flexible HIPS (it can block any folder, file, registry). Or am I wrong ?

 

[piquiteco]

Yes, EF and RBX restore within seconds, but these are inherently risky software.

I know about the risks. Just create a backup image with EF installed but disabled. If you encounter any problems with snapshots and the MBR becomes corrupted, simply restore the backup image you created earlier and you will be back up and running without having to format. Reactivate EF and take snapshots again. On my computer, a 35GB backup image takes 3 minutes to restore with Hasleo Backup. It's fast, but even so, I rarely restore. I only do incremental backups from time to time.

 

[rashmi]

On my computer, a 35GB backup image takes 3 minutes to restore with Hasleo Backup. It's fast, but even so, I rarely restore. I only do incremental backups from time to time.

I use Hasleo too, and it's fantastic. I installed Eazy Fix as a quick and temporary solution for some software trials/tests.

 

[Andy Ful]

Someone else suggested making paths non-writeable.

Yes, I know.
I did not post to contradict your statement, but to clarify my own.

 

[Andy Ful]

Question: If I disable app update plus disable signature updates. ( since app is unmaintained, and their av is hopelessly inadequate )
Then one would not be affected by the dns vuln and the 2 manifest vuln's mentioned in post #1.

Not necessarily. The attacker can force the update. You should rather block the update process.
However, you will miss the Comodo patch for those vulnerabilities.

Then, mark Kaspersky Labs as untrusted in File Rating>Vendors as suggested by Andy Ful to bypass his attack.

This was the suggestion to block a particular attack. Other similar attacks will still be possible. A comprehensive protection requires blocking vulnerable drivers.

Then set Untrusted AutoContainment rules to Block instead of Run Virtually, as mentioned in CIS was obliterated by an exploit.

This containment bypass is already patched (for Restricted and Untrusted levels).

I stand to gain proven strong auto-containment (shadowra test) and a flexible HIPS (it can block any folder, file, registry).

Yes, in the home environment.

 

[Victor M]

Comodo Internet Security is now a for pay app. It gives you like 2 weeks to use for free, then pops up payment reminder. If you don't pay it disables the product.

The file which you download is named cispro.

 

[rashmi]

Comodo Internet Security is now a for pay app. It gives you like 2 weeks to use for free, then pops up payment reminder. If you don't pay it disables the product.

The file which you download is named cispro.

The correct link for the free version: http://download.comodo.com/cis/download/installs/9070/standalone/cispremium_installer.exe

 

[piquiteco]

The correct link for the free version: http://download.comodo.com/cis/download/installs/9070/standalone/cispremium_installer.exe

There has always been the Comodo CISPRO version. I don't know why @Victor M mentioned this version, which is paid. I think he needs to find out about the Comodo versions that exist.

 

[ForgottenSeer 114717]

Failure 3: Ignoring the Vendor's Responsibility. The fact that Comodo is unresponsive to the disclosure is perhaps the most damning part. It signals that the product is likely unmaintained and that users are on their own.

Except for perhaps the first phases and years of post-release (and even that is debatable), Comodo FW/IS never was actively developed and maintained. It has always been pseudo-abandonware because of zero revenue. Add to that the fact that most of the people that developed and/or managed Comodo early on are mostly all gone, the current state of the software is no surprise.

There is no dedicated Comodo FW/IS development team. Never has been. Never will be.

People like me are perfectly OK with free software with problems because there is no duty for it to be fixed. If a developer decides to release pig slop code, then that is their prerogative, and they should not be judged for doing so. There is no quality standard for free software. Userland decides what is good enough and worthwhile to use.

It is always the consumer's responsibility to figure out what is good and what is not. Every software publisher globally relies upon the "offered 'AS IS'; use at your own risk" EULA.

As it is, Comodo FW/IS have been on that negative slope towards irrelevancy for years. Nevertheless, if a user likes it, and it works for them, then isn't that wonderful for them? Every single bit of code that I use has at one time or another had reported vulnerabilities. To this day many of the PoC vulns have never been fixed. Anybody using Windows is pounding it out on a system with many unfixed vulnerabilities.

You did not say it but others here have said that "Comodo is immoral and harming users." I take issue with those claims because it just ain't true.

I suppose it all comes down to what people believe a software publisher's duty is when it comes to freeware. In my world, unless a free software is used for something that could physically harm a person (e.g. medical x-ray control system), the publisher has zero responsibility to do anything. Even for paid software there are a lot of grey areas as to what should be fixed by a publisher. Consumers are predictable - they expect it all to be fixed, yesterday. So they do not cope very well with the world of software.

Should people use Comodo? That's something for each person to decide for themselves. Someone that chooses to use Comodo and promote it is not a "fanatic" or extremist.

 

[Trident]

Except for perhaps the first phases and years of post-release (and even that is debatable), Comodo FW/IS never was actively developed and maintained. It has always been pseudo-abandonware because of zero revenue. Add to that the fact that most of the people that developed and/or managed Comodo early on are mostly all gone, the current state of the software is no surprise.

Yes, you are right and that’s exactly what we are talking about. When users pay “€0.00”, there can’t be any expectations and requirements as to quality.
In this case there is no “deal” or “contract” between the user and the software developer/distributor and the only contract is the EULA which is in favour of the developer.

There is no dedicated Comodo FW/IS development team. Never has been. Never will be.

There is a maintained Xcitium codebase. The product can easily be merged with this codebase. If I am developing a stable and “secure” product for one audience and for the other audience I am pushing vulnerable and outdated code, I think we both can agree that I can not be classified as a serious cyber security vendor.
The decision how much a product costs lies within the hands of developers and distributors. Users should not have to suffer simply because the software is free.

I suppose it all comes down to what people believe a software publisher's duty is when it comes to freeware. In my world, unless a free software is used for something that could physically harm a person (e.g. medical x-ray control system), the publisher has zero responsibility to do anything. Even for paid software there are a lot of grey areas as to what should be fixed by a publisher. Consumers are predictable - they expect it all to be fixed, yesterday. So they do not cope very well with the world of software.

Well, I doubt anyone expects much from Comodo. But at least the bare minimum maybe?

Should people use Comodo? That's something for each person to decide for themselves. Someone that chooses to use Comodo and promote it is not a "fanatic" or extremist.

You see, here I agree with you. But I think we both can agree that yet again, on the Comodo forum, users expressed their concern. Someone, yet again worked overtime with false statements, to persuade them that “it’s ok, it’s nothing”.
See this post
Post in thread 'Three Unpatched Vulnerabilities Plague Comodo. Documented Online.'
Serious Discussion - Three Unpatched Vulnerabilities Plague Comodo. Documented Online.

Persuading people to use vulnerable, not actively developed software just because you have some unhealthy emotional attachments to it and the company, in some people’s opinion is unmoral and unethical. Furthermore, (ab)using the fact that the users haven’t got deep technical knowledge, and bamboozling them with a bunch of “mumbo jumbo” till they say “oh ok, I understand now” is also a highly questionable practice.
This is the problem—not Comodo itself.

I respect your opinions (as I monitor your other posts and largely agree with you, and I like the way you don’t sugar coat).

But you should also respect our opinions.

 

[Victor M]

Does this premium version have a web page ? I found my version just by googling 'comodo internet security' .

 

[ForgottenSeer 114717]

cannot be classified as a serious cyber security vendor.

That is a fair and accurate classification of Comodo. If the standard of comparison is all the other players in the industry space.

There is a maintained Xcitium codebase. The product can easily be merged with this codebase.

I estimate that Comodo, in practice, has moved past freeware CFW/CIS.

Will the codebase be merged? I would be surprised if that did happen.

The only reason Comodo keeps doing what it is doing is because CFW/CIS is Melih's ideological baby. He's anti-security software industry establishment. So he has a view of security software that, well, took the form of the Comodo FW/IS model. He thinks himself the maverick paving the way towards a future of all free security software for consumers. In a way, he did and continues to be at odds with the industry, but his efforts (experiment describes it better) show questionable results. In fact, the history is full of poor operational results as far as CFW/CIS is concerned (and CAV).

It appears to me that Melih has always been chasing the "One Hit Wonder" software that would make him Jeff Bezos or Elon Musk.

Well, I doubt anyone expects much from Comodo. But at least the bare minimum maybe?

Even expecting the bare minimum is unrealistic expectations - if we view things historically. There's no reason whatsoever to believe that it will improve going forward.

Someone, yet again worked overtime with false statements, to persuade them that “it’s ok, it’s nothing”.
See this post
Post in thread 'Three Unpatched Vulnerabilities Plague Comodo. Documented Online.'
Serious Discussion - Three Unpatched Vulnerabilities Plague Comodo. Documented Online.

Predictable, but I have no issue with fangirl, fanboy, and fanit behaviors.

Ideological fights are a futile enterprise.

Persuading people to use vulnerable, not actively developed software just because you have some unhealthy emotional attachments to it and the company, in some people’s opinion is unmoral and unethical.

From a purely ethics-centric perspective, I understand the arguments that it can be or is questionable, if not the wrong thing for someone to do. However, I am not convinced that the "promoter" is blindly ignoring facts and imperiling others' digital security. I suppose it is a matter of interpretation. I cannot determine a person's intent very well from their online behaviors. The person in meatspace and online are often different animals.

There are so many variables involved, and I for one do not like to generalize.

The greater "danger" or inequity - if I can use that term here - is un-fixed free security software made publicly available that attracts anyone who does not want to pay for security software and does not have the knowledge or skills needed to understand the implications of the decision. Now that is a Comodo issue. A social contract matter.

As far as the persons in question, I would need some face-to-face or in-person contact to make the determination of whether or not they are batshit crazy ga-ga about Comodo to the extent that would actually imperil others' digital security.

But you should also respect our opinions.

I do respect your opinion. Always have.