In our recent trip to Prague, the Czech Republic, we had the opportunity to visit the headquarters of AVAST Software, the company developing one of the most popular AV products on the market today - avast! Free Antivirus. While there, we also got to meet the AVAST management team and we jumped at the occasion to ask them a few questions about their business plans, the future of their products, as well as current security trends.
We already published the interview we did in Prague with Vincent Steckler, CEO of AVAST Software. However, we also had the chance to speak with Ondrej Vlcek, the company's chief technology officer, who was very forthcoming with answers to our more technical questions.
Due to the lengthy nature of the interview we split it in two for an easier reading. This is the first part and deals with the more general questions about security in operating systems, browsers and other popular applications. You can also read the second part, which covers new features in avast! Antivirus.
Softpedia: So, Windows 8 has reportedly reached Milestone 1. Have you had any talks with Microsoft about your future plans on Windows 8?
Ondrej Vlcek: At least twice a year we are in Redmond talking to Microsoft about the new trends and also do some testing of avast! on yet unreleased versions of Windows. We haven't on Windows 8 yet, but we're testing on Windows 7 SP1, which is coming soon.
Softpedia: It's in Beta right now.
Ondrej Vlcek: Yes, but normally we'd have access before the public – the public build.
Regarding the architecture of the upcoming Windows, that's also something we keep discussing. Not only us necessarily; other AV companies as well. Twice a year, we meet in Redmond with all the AV companies and discuss the trends and also what changes in the kernel would be appreciated by the security industry.
For example, 64-bit Windows is known for the PatchGuard. That's the component that is basically preventing direct patching of the kernel. Implementing the PatchGuard meant that there are a lot less rootkits on 64-bit than on 32-bit. But, at the same time it makes it difficult for the more traditional anti-rootkit and HIPS-type applications to be ported to 64-bit, because they rely on hooking functions and kernel patching. So, right now we are trying to come up with solutions to these problems by having Microsoft implement more functionality that wouldn't disrupt the system and could be used to protect the users.
Softpedia: There have been rumors that Microsoft is considering dropping support for 32-bit entirely. The latest version of Windows Server (Windows Server 2008 R2) is already 64-bit only.
Ondrej Vlcek: I've heard rumors of this for many years. The problem is that Windows' success is entirely driven by compatibility with other software. The biggest problem of Vista and the main reason why it wasn't very successful is that it had issues with lots of hardware and software. So, dropping support for 32-bit altogether is maybe just too early.
If you look even today at 64-bit Windows 7, there's still a lot of stuff that just doesn't work there, like older printers. In most cases it's hardware, but not necessarily; some software doesn't work very well either. And people don't want to get rid of their hardware, even when it's sort of dated.
For example, my dad has a printer, which he bought five years ago. It's called N2500 and it's a perfectly fine printer; it prints nicely. The problem is there's no driver for 64-bit. And I can't tell him to get a new printer, because he's not the type of person who would get new hardware just because there's no driver for it.
So, regarding the end of 32-bit support, I don't think it's happening anytime soon.
Softpedia: What do you think about the security of Windows 7 compared to Vista and XP?
Ondrej Vlcek: The security model in Windows 7 is very similar to how it was in Vista, because the most important parts were implemented in Vista. I see more differences between the 32-bit and 64-bit versions. I do agree with the statement that 64-bit is currently more secure and there are two reasons for this.
One is that there are almost no rootkits for 64-bits. That is very important.
Softpedia: There is a new one with signed drivers. [Stuxnet]
Ondrej Vlcek: Correct. But if you look at the magnitude of the problem on 32- and on 64-bit, it's just incomparable. The other reason is that 64-bit users are still in minority and the bad guys will always focus on the majority.
Generally I think that even though UAC is something that most people hate, from the global point of view it had one significant effect on the whole ecosystem and that is that software vendors finally started digitally signing their code. Because with UAC you get the prompt that looks very different whether the code is signed or not.
Most of the software companies now sign their code and that is very very helpful for the AV industry as a whole, because it's much easier to whitelist for example. Before that, there was no easy way to find the origin of files. Now with digital signatures in place it's much easier and much more transparent. This is one of the indirect effects of UAC that we really value and we think it was a great thing.
Softpedia: There's been some recent research from Secunia, which looked into how popular applications implement DEP and ASLR. The conclusion was that very few support both, or support them completely. How do you feel about this?
Ondrej Vlcek: Maybe one of the reasons for this is that implementing these features, especially ASLR, makes it harder to debug. Post-mortem debugging is sort of more difficult. But otherwise, I think it might be an educational problem. Microsoft probably needs to work more closely with its partners.
Softpedia: Force their hand a little bit?
Ondrej Vlcek: Yes. But if you look back, a few years ago the big companies weren't even signing their files. So, having them use this new stuff, like ASLR in Windows 7, would be great, but I think it will take some time.
Softpedia: How do you view the overall security in Windows, compared to Mac or Linux?
Ondrej Vlcek: I think we will be seeing more and more attacks towards Mac. Of course, it's still a minor platform in terms of market share, currently estimated to be between 6% and 7%, compared to something like 92% or 93% for Windows. For attackers it's much easier to focus on 90+%, but that's changing; the market share is growing all the time.
And also as the platform is getting more popular it's quite evident that there are a lot problems in the security of the Mac OS in general. What I mean is that Apple's approach towards security vulnerabilities is not very fortunate. It somehow reminds me of Microsoft's style from maybe eight, ten years ago.
Softpedia: That's actually reflected in the results of another Secunia research effort regarding vulnerability trends. It showed that at the beginning of 2009 Oracle was leading in terms of number of vulnerabilities recorded per year, however, Apple has since taken over the first position. Meanwhile, Microsoft's place in the top has remained unchanged since 2006 and its yearly stream of vulnerabilities is pretty much constant.
Ondrej Vlcek: I'm not a big fan of the total numbers. I don't think they are very indicative. I mean, I just don't think comparing that Mac had 127, while Windows 156 is completely fair. You cannot compare the absolute numbers, because the severity of the vulnerabilities can be very different. And even if you somehow manage to count in the severity aspect and look for high criticality, their global impact may be very different as well.
So, the total number isn't that important. But Windows has undergone huge scrutiny from all researchers in the world. During the last years, basically all security researchers focused on Windows and the browsers. Apple and Mac OS were sort of left aside. I think it's really only a matter of time until those people turn their attention towards the minor platforms, or maybe they'll no longer be minor then, and at that point I assume you'll see many more problems on these OSs.
Softpedia: What do you think about security in IE compared to the other browsers?
Ondrej Vlcek: We don't see any meaningful difference in the security of IE8 versus that of the newest Firefox or even Chrome, which has the tab sandboxing. I don't think the Chrome sandbox was really designed as an anti-malware measure. It's more about the stability of the individual tabs – crashing of one tab not injuring the others. It's not really that efficient against malware.
But, in general I'd say that the browsers – all major browsers on the market – are probably the most secure pieces of software that you can ever meet, because they've been scrutinized so many times and there are so many eyes looking at them. They're really quite safe compared to all the other components which are addressable from the browsers, but are not part of them, such as PDF readers, etc., that are usually more problematic.
Softpedia: Yes, but Google is looking into sandboxing plug-ins now. They've already implemented a native PDF reader. They've also worked with Adobe to get a native Flash Player. So, it's a lot less exploitable. Do you think this gives them the upper hand at the moment, as far as browser security goes?
Ondrej Vlcek: It's really appreciated that they do these things. It's very hard to estimate whether it will be effective against malware, but we obviously support all attempts to improve security and find new innovative ways to fight the problem.
Softpedia: What do you think about the plans to introduce sandboxing in Adobe Reader, which is clearly targeted in a lot of attacks and is the source of many problems like drive-by downloads, etc.. Do you think it will solve the majority of the issues? Or do you think it's only a temporary solution and that they should focus on fixing the underlying problems in the software rather than relying on a sandbox?
Ondrej Vlcek: Again, it's difficult to estimate. I don't have a crystal ball. It's a move in the right direction, but I can't comment on the actual implementation. It all depends on how well it is implemented. The idea I think is very good.
Softpedia: It's better than how things are handled now anyway...
Ondrej Vlcek: Absolutely. It's just that I don't think there's a silver bullet. There will always be problems, but any method of mitigation is a move in the right direction.
Softpedia: You mentioned kernel hooking. There's been some recently published research from matousec regarding the kernel hooking performed by host intrusion prevention systems (HIPS) in antivirus products. Their conclusion was that many of these implementations are vulnerable and could enable attackers to bypass such components, which usually serve as a last line of defense. I've spoken with other AV vendors about it and some said their new versions will stop using kernel hooking. Do you plan to remove it from your products as well?
Ondrej Vlcek: None of our core functionality relies on hooks. We do some hooking, but it's not related to the core functionality. Some of it is in the Behavior Shield where we have no other choice. The problem with this test is that what matousec described basically looked like a complete breach of all the antiviruses, but there are much easier ways to do what he did.
What he's trying to do are things like bypasing the sub-defense of the antivirus. But, there is no AV that has a sub-defense that is completely bulletproof and everyone knows this; also in underground circles I'm afraid. This is just one of the methods to do it, but a very difficult one actually. It would take a lot of resources and a lot of time. So, why do something complex when there are easier ways to achieve the same thing?
Softpedia: But the practice in general, hooking the kernel, Microsoft is trying to get developers to drop it.
Ondrej Vlcek: Correct. That's something they've been doing for many years. But, the reason for this really is that they've found out that many of the blue screens were directly caused by hooks. And that's because there is just no way to implement them one hundred percent reliably in Windows.
It's really about synchronization issues. In the moment when you install the hook, if someone else does the same thing, the system will crash. And there are also other situations. For example, there's no way to reliably unhook, to remove the hook, because you don't know if someone else is on top of you. That person who is hooked on top of you doesn't know where to jump if you unload.
There are issues like these and I can sort of understand that. But, the AV or security vendors aren't hooking the kernel because its fun. There are some legitimate reasons for doing this and unless there are some replacement APIs that we could use, there is probably no way we could stop hooking.
Softpedia: But, they're working on offering you alternatives, right?
Ondrej Vlcek: Yes. We work together, but it's a very very lengthy process. The first draft of these dates since before Vista. So, Vista brought some improvements, Windows 7 added a few more, but generally for HIPS-like solutions or sandbox-like solutions, it's insufficient. We need to continue with that.
(Transcribed from audio)
UPDATE (24 August 2010): Updated the text with link to the second part of the inteview, which can be found here.