Security risks caused by tool software vulnerabilities

Taking the most typical remote management software for example, network management can help users solve problems remotely. However, when such software is in the hands of hackers, it becomes a "high-risk" weapon for remote control of users' computers. While understanding the positive and common features of the software, if you can see the potential risks of the software, it will greatly reduce the security issues caused by the software.


Looking at the history of computer development over the past few decades, we can clearly know that the original computer input and output system was a tape with a small hole used to represent the binary 0 and 1, this is the early "Memory" (Memory ). At that time, the concept of "Operating System" was not yet developed. This tape was used to undertake all computing tasks, such computing tasks, in fact, it is what we now call the "Program" (Program ). At that time, the input and output of the program should be manually collaborated to bring the paper to the reading tape device, and the computer's reaction should be processed. With the development of computer technology, the processing speed of computers is increasing. In the past, the processes that rely on manual input programs have become the bottleneck for computers to process data, people need a product that can automatically input programs and respond to hardware feedback in real time. At this time, the computer's storage technology has leap, and the input and output of data no longer need tapes, but instead is converted to magnetic media storage, so that people can get rid of the limitations of tapes. The use of magnetic storage technology makes data input and output faster and is no longer suitable for manual control. Therefore, people have designed a dedicated program to help program Input and Output Work, the prototype of the "Operating System" was born. Since then, the operating system has become an interface for managing hardware and human-computer interaction. It is not only responsible for processing underlying hardware, but also provides users with an operation interface for hardware operations. In this case, the history of computer development is the history of operating systems.

Applications

After talking about so many operating system topics, you may be worried about it: what is the relationship between these topics and information security? To thoroughly understand the relationship between the operating system and applications, we must understand these basic principles.

As mentioned above, the operating system provides an interface for human-machine interaction. However, only one operating system is useless. The operating system is like a stage, which provides a dance place for the audience, however, it does not provide a dancer-the operating system is like a white cream wrapped on a cake. It only paves the way for "Hardware softening" and needs to complete practical work, there must be another way to work together, which involves the concept of "Application.

As a matter of fact, the above mentioned tape machine had an application shadow. People First read the computer into an initialization program, and then input the actual application code into the computer, without the previous initialization program, the program code used later cannot be identified and executed. This initialization program is similar to the "Operating System" today, and the actual operation code is "application ". In contrast to more rigorous computer theoretical terms, applications are built on the operating system and controlled by the interfaces provided by the operating system to achieve the desired operation. Computer hardware provides a foundation for the construction of the stage. The operating system is that stage, and the stage must have a dancer-application.

System Interface

Since hardware, operating systems, and applications complement each other, what channels do they communicate with each other? The answer is Interface ).

The operating system is located between hardware and applications and acts as an intermediary. Therefore, it has underlying interaction capabilities in hardware and provides an interface that can be used by applications on the user interface, the designer expresses this interface as a code instruction (called an interface function) with different functions. The application does not directly deal with hardware, but uses these preset interface functions to implement hardware operations. Many applications rely on various interface functions provided by the operating system to implement functions. They do not have the right to deal with hardware directly. Such a control structure will inevitably complicate the application environment and lead to unpredictable consequences. We will explain it in the following articles with specific examples.

Anti-Virus Software embarrassment

Since the birth of computer viruses, anti-virus software has become synonymous with the computer protector in the eyes of many people. However, you may not know that viruses and anti-virus software are originally a family of applications. Just like cats and mice of the same animal, even though they are family members, you cannot regard cats as a god offering. When a powerful cat fails, anti-virus software will naturally survive this rule.

From the launch of the first anti-virus software to the present, anti-virus software has undergone many upgrades, and background monitoring technology has been able to mount special terms such as "XX shield" and "XX wall" onto the table, but can they be as advertised by the vendor, is it true that there is no intrusion to the virus? The truth is, if users put 100% confidence on these "walls" or "shield", one day when you suddenly look back at your computer, we will find that some viruses have been facing the "wall" you trust and are thriving in your computer.

Why is this happening? This is closely related to the technology used by anti-virus software. Currently, most anti-virus software uses a virus scanning technology called "pattern detection". The principle is to read the content of a program or file, it also matches a piece of code stored in the database that has been identified as a virus program. Once the two are the same, anti-virus software "confirms" that this file is a virus, the advantage of this method is that the anti-virus efficiency is improved, and the manufacturer does not have to increase the code to scan and kill new viruses, because it only needs to update the virus database (virus feature database; however, the disadvantages of this solution cannot be ignored. Because the virus is developing rapidly today, not only will there be viruses that traditional technologies cannot clear (such as Chinese hackers in the past "), the virus pattern must be updated at any time. This is not realistic in China, because many users in China use non-genuine anti-virus software (or multiple users use the same anti-virus software), which means they cannot obtain services to update the virus feature library, in addition, many users do not know that the virus database also needs to be updated. After anti-virus software is installed, the virus feature library has never been updated, so that anti-virus software can be used as your "wall ", can you feel at ease?

Computer Interface and pattern crisis


Dangerous replacement service

If the "wall" cannot block the storm only because the feature library is not updated in time, it is also excitable. However, users may not know that sometimes the "wall" that protects their computer security may also have vulnerabilities. These vulnerabilities may cause more security problems than viruses.

The reason is that anti-virus software itself is a program. According to Murphy's Law, "Any program has vulnerabilities." It is inevitable that there are vulnerabilities in anti-virus software. Some anti-virus software may even be killed by viruses!

Because anti-virus software uses feature detection to detect and kill viruses, as long as the pattern of the virus body changes a little, it can shake off scan of anti-virus software.

Anti-virus software is a program running on the operating system. Like anti-virus software, the operating system can also be called a large program. Therefore, the operating system will certainly have various defects and vulnerabilities. It can be imagined that the security vulnerabilities caused by the "foundation" of the operating system will have a great impact on applications. Here, let's take a look at the more advanced questions about virus and hacker security risks directly caused by operating system vulnerabilities: "replacing the service method" and "using anti-virus software with premium privileges to intrude into the system ".

The NT architecture system generally uses a technology called "Service" as the underlying interface of the system. Generally, the Service cannot be stopped by running a general termination process command, this is the privilege of a service. In fact, these services are also applications. If anti-virus software runs itself at system startup and has the privilege of not being easily terminated, it must run as a service program. In this way, anti-virus software seems to be easy to run once it starts up with the system. However, the NT system makes another joke for privileged programs ": users who know a little about the computer know that normally, when the program is running, it cannot delete its own disk files and all files that have a call relationship with this program, this is a protection mechanism of the operating system to ensure the integrity of applications; however, in the field of service programs, this code has been broken: For programs started in the form of services and are already running, the system does not protect their disk files! As a result, the user's nightmare came. The anti-virus software service program was deleted by intruders and replaced by a backdoor program. The next time the system was started, the user's computer opened the door to the outside world.

Differences and features of processes and system services
Easy intrusion

Winamp, Media Player, RealPlayer ...... Every user's computer has a variety of music players. It is precisely because of the cooperation of these music tools and systems that users have a wonderful vocal experience, however, who could expect that a pair of black hands may attack you through software vulnerabilities?

Close integration of personal computers and networks is a trend in today's world. music players naturally do not ignore this part of the market, but the network is dangerous and will crash from the Internet and smash it. The Winamp main program serves only as a control interface for various functional modules, but the vulnerabilities in these modules will be sold out without mercy. This is the IN_CDDA.dll in Winamp that plays CD music. This plug-in contains a piece of code that interacts with the web page. Unfortunately, this code has a serious defect. When it interacts with a malicious Web page, it downloads and executes the backdoor program stored on the website.

RealPlayer has long implemented the function of embedding itself into a webpage, but it is so obedient to the webpage containing it that the commands on the webpage allow it to control the user's computer as well.

Media Player is famous and should be aware of the danger of the network. Unfortunately, it is too dependent on its own brother IE, resulting in MIME vulnerability and script intrusion to make these difficult.

To enable online playback, streaming media playback software must be equipped with a customized music source tool, as a result, we have Media servers such as Helix Universal Server, Windows Media Server, and Nullsoft SHOUTcast Server. These Server tools are the biggest power source of the playing software, however, these power sources all have a buffer overflow vulnerability, which has been a headache for many years.

The working principle of the music tool server is the same as that of the normal HTTP server. It works based on data requests sent from clients, but this data request may be malicious. Do you still remember the core "formatted string" of the overflow attack? These seemingly ordinary and non-odd character requests have ruined countless software, and music servers are no exception. Once the SHOUTcast Server receives a data request containing a special string, it will cause an overflow, so that the intruders can gain the permission to control the Server. Helix Universal Server is the background assistant of RealPlayer, however, it cannot bear data requests that exceed the agreed length. Intruders send a long URL character that contains specific characters.