Chinese computer protection system against malware insecure, say researchers

Green Dam purports to protect PCs, but may do exactly the opposite, say researchers.
Green Dam purports to protect PCs, but may do exactly the opposite, say researchers.

'Green Dam' is a software program allegedly soon to be mandated by the Chinese Government. It will have to be installed on all computers sold in the country, according to press reports, and is designed to protect them from malware infection.

However, researchers Scott Wolchok, Randy Yao, and J Alex Halderman say that within 12 hours of testing, they uncovered vulnerabilities that could allow any website to compromise a visiting computer loaded with the software.

"After only one day of testing the Green Dam software, we found two major security vulnerabilities. The first is an error in the way the software processes web sites it monitors. The second is a bug in the way the software installs blacklist updates. Both allow remote parties to execute arbitrary code and take control of the computer," said the report.

In the first instance, a function that checks URLs against a blacklist is subject to a buffer overflow error. In the second, the filter files that it installs to update its list of banned sites can be corrupted by an attacker impersonating the update server - or by the original authors of the software. A corrupted file could again cause a buffer overflow error that could allow arbitrary code to be run on a machine.

The malware code can be removed by those who have the administrator password, said the researchers, although it does leave some log files on the system that can reveal users' activities.

"The software makes extensive use of programming techniques that are known to be unsafe, such as deprecated C string processing functions including sprintf and fscanf," said the researchers. "These problems are compounded by the design of the program, which creates a large attack surface: since Green Dam filters and processes all Internet traffic, large parts of its code are exposed to attack."

What’s hot on Infosecurity Magazine?