Kernel Mode Drivers Can Be Bypassed On Security Programs

The Register beat me to it. Here's a summary:

http://www.theregister.co.uk/2010/05/07/argument_switch_av_bypass/

Thank you BB.

Eventhough Mr. Goodin says:

"...the exploit has its limitations. It requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC."

He also says:

"...the technique might be combined with an exploit of another piece of software, say, a vulnerable version of Adobe Reader or Oracle's Java Virtual Machine to install malware without arousing the suspicion of the any AV software the victim was using."

This is serious stuff, isn´t?

Regards.

Hi David.

"... all we can do is remain calm, and do our best to practice safe surfing.    We can't let this deter us from using our computers."

What else. I always do. What I meant was that hopefully there are people taking this article seriously and working on the problem.

Regards.

"This is serious stuff, isn´t"

Given that EVERY anti-virus program tested (including the likes of Avast, avira, avg; norton, mcafee, eset & kaspersky) was vulnerable to this particular exploit, the matter would seem to be out of the hands of us end-users... it's not like they offered a secure alternative that we can consider... so i think, being pragmatic, all we can do is remain calm, and do our best to practice safe surfing.    We can't let this deter us from using our computers.

EDIT:   See Iroc9555's post below, that MSE (MIcrosoft Security Essentials) is NOT impacted by this vulnerability.

I never know what to make of "doom and gloom" articles like this Matousec paper.

They claim to find an attack vector that defeats many commonly used desktop AVs and suites in a controlled environment, and publish some highly technical details I have no way of understanding (but maybe the bad guys do: "we will show you how to bypass the protection easily"). One hopes Matousec shares their research with the security vendors involved first, and in somewhat more detail!

My initial response to the public release of this paper is to ask "Cui bono?".

Certainly not me, since it provides no instructions or guidance on how to mitigate against theoretical threats. Their summary conclusion that "Today's most popular security solutions simply do not work" smacks of sensationalism, and is at odds with my experience.

I have used many of "Today's most popular security solutions" and they have served me well for years, in the context of layered security and Safe Surfing. I've no idea if Matousec has identified a significant new threat or not, but I have no plans on changing any of my defenses soon.

Let me commence by stating that I have only "skimmed" the referenced article, and I make no pretense that I understand it.  Having said this:

It would seem to me that one of two things is happening here.  Either:

1) the technique/method/procedure of using "SSDT kernal hooking" is inherently vulnerable --- in which case, EVERY anti-virus (or other security) program that uses this "feature" must individually re-code their programming using an alternative method which is deemed secure.   That is to say, provided such a truly secure alternative actually exists.  Or:

2) the flaw is deeply embedded in Windows itself, in which case only Microsoft can fix it... once... for everyone.

We'll see what happens.   In any event, I won't be losing any sleep over something over which I have no control, and for which --- as Joe said --- we have "no instructions or guidance on how to mitigate against theoretical threats".    (If ALL anti-virus programs are vulnerable, is the solution not to use any?   I would think NOT!)

-----

Agreeing again with Joe, " One hopes Matousec shares their research with the security vendors involved first".   That would be the responsible way to proceed... so that the vendors can contemplate the matter, and see what (if anything) they can do to at least mitigate --- if not completely fix --- the vulnerability.   The alternative --- that the matter is being publicized without first warning the security vendors --- would be tantamount to opening "Pandora's Box", freely offering hackers (both professional and amateur) an entry point to do their evil deed.

Well, well.

It seems that this form of attack was known and published in 2003 (article), and there are accusations of one person (no names from me) adjudicated himself for the discovery.

 http://www.wilderssecurity.com/showpost.php?s=2421b4af54971efadce10823563dece4&p=1673813&postcount=75

Well, eventhough that kind of allege action speak badly of the professionalism for the person involve, I really do not care for the drama.

What I ask myself is Why no one from any security program paid attention to that article and did something about it in 2003??:emotion-12: HEY guys this is 2010.

Hernan:

Seven years on, and the sky has still not fallen!

My trust in anything Matousec says is severely eroded.

 Update:

Some of the more reasoned replies from around the security industry place this threat in perspective-

http://www.eset.eu/press-ESET-matousec-earthquake-vulnerability
http://www.eset.com/blog/2010/05/11/khobe-wan-these-arent-the-droids-youre-looking-for
http://sunbeltblog.blogspot.com/2010/05/matouseccom-bait-and-switch.html
http://www.f-secure.com/weblog/archives/00001949.html

They all generally agree there is a potential threat, that it has been known about for years, that it requires an unusual number of conditions being met, and that it has yet to be exploited in the wild.

My gut instinct tells me to place more credence on these responses than on the sensationalism generated by Matousec, and amplified by the press.

Thank you Joe.

I must also concurred with you, after reading the articles you posted and some responses from Avast and Comodo research teams in their respective forums that Matousec´s article just got out of hand. Now at the same time the article generated such an out pour from the computer user community that the security companies have to revise their products and give a truthful answer for their customers. Even if it is not truthful, I bet you that they are testing their programs to see how they can solve their vulnerability.

Thank you again for the articles and follow up. 

This just came up at Comodo Forums.

It seems that MSE is immune to the KHOBE attack. Well another +point for MSE:emotion-21:.

http://arstechnica.com/microsoft/news/2010/05/microsoft-mse-safe-from-windows-kernel-hook-attack.ars

Regards.

Hernan,

Fascinating find there!   So now, for anyone who IS particuarly concerned about this vulnerabilty, we finally have a "solution".

However, given Joe's comment above:  "... it has been known about for years, that it requires an unusual number of conditions being met, and that it has yet to be exploited in the wild", I for one do not plan on switching my anti-virus (avast5) at this time.

Because, in the immortal words of [and paraphrasing]  Roseanne Roseannadanna  (Gilda Radner's character on Saturday Night Live), "it's always something!":   If it's not the Khobe vulnerability, then there'll be some other vulnerability found in MSE.   So like I said, I'll just sit tight with what i have/know.  

Others may decide differently, taking this as a good opportunity to test-out MSE.

Nice find, Hernan!

As a follow-up to my question above - Cui bono? (Who benefits?)- from Matousec's publication, one answer is found in this blog from the website of the AV vendor GData:

"Of course we wanted to know how exactly our product is concerned, so I send an email via their contact form asking for information how exactly our software is considered "vulnerable" (as they put it in their table). The answer was anonymous and strange in several ways: ... "

Full read: http://blog.gdatasoftware.com/overview/article/1654-khobe-no-problem.html

Somehow, I'm not surprised at the answer.

Joe53:

"(Who benefits?)"

I agree that Matousec KHOBE publication (whether his or not) without notifying the security companies could have been irresponsible, but on the other hand now you have a few security companies saying that they new and are working on it, or it is improbable to happen in the wild, or worst still that their product is not affected. I know that GData is in the vulnerability list given by Matousec but MSE is not. I do not want to say that GData is lying, but I can not say that Matousec is wrong either. If you know what I mean. However, the article that Joe53 posted gives many things to wonder about GData answer to Ralf Benzmüller.

I only know that a can of worms has been opened because this topic is all around in the forums. Users really are wondering who is keeping an eye for them when they use or buy a security app.

Who benefits? I hope we do, just hope.

Now like ky331 said above, paraphrasing the immortal words of Roseanne (SNL), Gilda Radner´s character (RIP 1989) -"It´s always something!"-

or like you joe53 said "The sky has still not fallen".

AMEN.