Security researchers at enSilo have come to some shocking conclusions in terms of the hooking and injection methods employed by various vendors. Their research started in 2015 when they noticed an injection issue in AVG. Later, they found similar problems in McAfee and Kaspersky products.
The further the research went, the more troublesome the results were getting. The bottom line is that six vulnerabilities have been exposed in the way that some quite big vendors handle the code hooking technique. These vulnerabilities make the software prone to malware and eventually to the exploit of the targeted device.
First, What Is Code Hooking?
Hooking is a technique used by software, such as products that do virtualization, sandboxing and performance monitoring, to monitor and/or change the behavior of operating system functions in order to operate effectively.
Code hooking is very critical for the establishment of security products and antivirus software.
It’s particularly critical for security products. AV programs typically employ hooking to allow it to monitor for malicious activity on a system. The average anti-exploitation tool monitors memory allocation functions in order to detect vulnerability exploitation. A security bug in the hooking function makes the system vulnerable to compromise.
Such vulnerability gives the attacker a way to bypass the OS and third-party exploit mitigations, enSilo experts explain. Thanks to this, the attacker can easily leverage the flaw which would otherwise be much more difficult, and exploit it successfully. The worst of these vulnerabilities would allow the attacker to endure on the victim’s machine and stay undetected. He would also be able to inject code into any system process.
Which Anti-Virus Products and Software Vendors Are Exposed to Code Hooking Vulnerabilities?
- Microsoft’s hooking engine, Detours. From Microsoft.com: “Under commercial release for over 10 years, Detours is licensed by over 100 ISVs [independent software vendors] and used within nearly every product team at Microsoft.”
- A major AV vendor
- Citrix XenDesktop
Expectedly, Microsoft is the most popular hooking engine in the world which is used by more than 100 ISVs. This means that millions of users could be affected. In most of the cases, fixing this issue will require recompilation of each product individually which makes patching extremely hard.
The enSilo team has been notifying all of the above-mentioned vendors throughout the past 8 months. It’s crucial to note that companies running affected software should get patches directly from the vendors, if available. If patches are not available yet, the company should demand them immediately.