05/12/2010

KHOBE - no problem

KHOBE - no problem

It is astonishing to see how many articles have been published about KHOBE - an attack, which is purely academic, not very reliable, and has never been in-the-wild. Despite all this, the news that anti-virus-products can be bypassed, was quickly spread across the globe. The result is that many worried customers call us and ask whether they are still protected. 

YES, they are. KHOBE is no problem

I really wonder who checked the source before writing about it. Well I did. And what I found was causing concerns. The first thing that caught my eye was the way the information was disclosed. Publishing source code about a formerly unknown attack does not shed a good light on the team behind it. It is the debatable merit of Matousec if we find this kind of attack in the wild shortly. Responsible disclosure is different. 

Of course we wanted to know how exactly our product is concerned, so I send an email via their contact form asking for information how exactly our software is considered "vulnerable" (as they put it in their table). The answer was anonymous and strange in several ways: 

  • it said that our product had only a few problems (is that good for us?)
  • technical details would be described in a paper, which is currently under revision
  • the paper is being sold 
  • they would offer us source code audit services

 

So I replied and asked for the price, when the paper would be availabe and why the correspondence is anonymous (as was the individual announcement that we received two weeks ago). Here are the answers: 

  1. The price is a solid 4-digit figure in USD. If all AV-vendors in the list would subscribe to the paper, it would sum up to a 6-digit figure. 
  2. the paper is deliverable in one week
  3. there will be someone taking care of us, when we have paid

@1: We consider the effort behind finding and exploiting a new attack. But asking such a high price is exaggerated.

@2: I wonder why they are publishing such a crucial information, if they cannot deliver proper documentation.

@3: Also this mail was not signed with a name. The combination of publishing source code for a new vulnerability and the huge press coverage has put a lot of pressure on us. If in such a situation someone refuses to reveal his identiy, is asking money for (unavailable) information, would that remind you of blackmailing?

Anyway, we have fixed the problem in our product ourselves. It is currently undergoing Q&A testing and will be delivered with the next software update. 

So don't worry. KHOBE is no problem

If I could derive three wishes from that, it would be that
- Matousec would state their identity and considers a more responsible way of publishing information about new attacks
- Journalists would think twice and doublecheck information and sources before they write articles that might be perceived as the end of AV products
- Men live healthy and in peace forever




Share Article