Kaspersky, AVG, Symantec, Microsoft Beïnvloed door Code Hooking Bug

Beveiliging onderzoekers van enSilo heb met een aantal schokkende conclusies gekomen in termen van de haken en de injectie methoden die door verschillende leveranciers. Hun onderzoek is gestart in 2015 toen ze merkten een injectie probleem in AVG. Later, they found similar problems in McAfee and Kaspersky products.

The further the onderzoek went, the more troublesome the results were getting. The bottom line is that six vulnerabilities have been exposed in the way that some quite big vendors handle the code hooking technique. These vulnerabilities make the software prone to malware and eventually to the exploit of the targeted device.

Eerste, What Is Code Hooking?

Hooking is a technique used by software, such as products that do virtualization, sandboxing and performance monitoring, to monitor and/or change the behavior of operating system functions in order to operate effectively.

Code hooking is very critical for the establishment of security products and antivirus software.

It’s particularly critical for security products. AV programs typically employ hooking to allow it to monitor for malicious activity on a system. The average anti-exploitation tool monitors memory allocation functions in order to detect vulnerability exploitation. A security bug in the hooking function makes the system vulnerable to compromise.

Verwant: Symantec producten Schuldig van Charge van meerdere ernstige gebreken

Such vulnerability gives the attacker a way to bypass the OS and third-party exploit mitigations, enSilo experts explain. Dankzij deze, the attacker can easily leverage the flaw which would otherwise be much more difficult, and exploit it successfully. The worst of these vulnerabilities would allow the attacker to endure on the victim’s machine and stay undetected. He would also be able to inject code into any system process.

Which Anti-Virus Products and Software Vendors Are Exposed to Code Hooking Vulnerabilities?

• Microsoft’s hooking engine, Detours. From Microsoft.com: “Under commercial release for over 10 jaar, Detours is licensed by over 100 ISVs [independent software vendors] and used within nearly every product team at Microsoft.”
• AVG
• Kaspersky
• McAfee
• Symantec
• A major AV vendor
• BitDefender
• Citrix XenDesktop
• WebRoot
• AVAST
• Emsisoft
• Vera

Zoals verwacht, Microsoft is the most popular hooking engine in the world which is used by more than 100 ISVs. This means that millions of users could be affected. In de meeste gevallen, fixing this issue will require recompilation of each product individually which makes patching extremely hard.

The enSilo team has been notifying all of the above-mentioned vendors throughout the past 8 maanden. It’s crucial to note that companies running affected software should get patches directly from the vendors, indien beschikbaar. If patches are not available yet, the company should demand them immediately.