Antivirus holes, browser spies are highlights at Microsoft's BlueHat hacker sessions

The ease with which holes in antivirus software can be discovered and the insidiousness of invisible scripts that can track your Web surfing were two of the notable talks at the BlueHat hacker sessions Microsoft held Friday on its Redmond, Wash., campus, according to a veteran attendee.

The invitation-only event, held every six months for the past three years, brings top security researchers to the home of the biggest software company in the world where they discuss the latest and greatest exploits and issues in the world of computer security.

"You actually have 'the developer' who does something who shows up to hear from 'the attacker' who is breaking it. And that's pretty cool," Dan Kaminsky of security firm IOActive said in a phone interview.

The highlights, according to Kaminsky, were: a talk on design weaknesses in Windows by Cesar Cerrudo, founder and chief executive of Argeniss, that Kaminsky described as a "technical tour de force" that was "scaring lots of people over here"; a session by independent security researcher Manuel Caballero on how an invisible script can follow a Web surfer around on the Internet, enabling the "browser to be monitored by the bad guy;" a session on Web browser failings by Alex "kuza55" K., another independent security researcher; as well as a talk on holes in antivirus software by Feng Xue, also known as "Sowhat," who is technical lead at the research lab of Nevis Networks.

"We all kind of know antivirus is broken," said Kaminsky. Xue has been showing "how he can do some pretty simple stuff to AV code and the stuff just falls over. The interesting thing is how easy it is to reach."

For example, Xue explained how sending an infected file to someone then returns a reply that specifies which antivirus product scanned it, which enables a hacker to then use an exploit tailored for that particular product, Kaminsky said.

Xue talked about how to exploit the vulnerabilities through Web pages, peer-to-peer and IM. He also demonstrated some vulnerabilities in antivirus programs that he discovered using "fuzzing," a technique in which you try to make the program fail or crash, he said through an interpreter in a phone interview with CNET News.com. He declined to name the vendor of antivirus software because the company was still working on a patch for the vulnerability.

Xue said he has also used reverse engineering and source-code auditing to find vulnerabilities in most of the top 20 antivirus products. His company is working to disclose the vulnerability information to the companies. AV companies need to be aware that just scanning the potentially malicious files, as it does to try to learn if they contain viruses, puts the AV software at risk because the file could be written to attack the AV software, he said.

Others have found other holes in antivirus software and prompted vendors to fix the vulnerabilities. Recently, a mail server in Denmark was compromised and data was stolen as a result of a Zero Day exploit written to take advantage of an unpatched vulnerability in antivirus software, according to Xue.

Microsoft, which has struggled to protect Vista users against viruses, considers the threat serious and is likely gleaning knowledge for its own Windows Live OneCare antivirus efforts.

Meanwhile, two technologies in Vista--Address Space Layout Randomization and Data Execution Prevention--can help minimize the damage from an attack on a vulnerability in antivirus software, say by crashing the program to prevent a server compromise, Xue said.

For some attendees, the event doesn't end with the sessions. IOActive has organized a limousine race photo scavenger hunt for Friday night that has become somewhat of a tradition. This unofficial event brings some levity after two days of talks.

"It's hard to take yourself too seriously if you're in a big costume rolling around in a limo, getting out and having a photo taken of you hugging a tree," Kaminsky said.