Rabitə və İnformasiya Texnologiyaları Nazirliyinin elektron xəbər xidməti

Researchers spot bypass vulnerabilities in code hooking software


Researchers have discovered flaws in products from some of the world’s biggest security firms that could potentially expose hundreds of thousands of users to attack.
The flaws all revolve around incorrect implementation of code hooking, according to researchers at data protection firm enSilo. Code hooking is a technique that enables the monitoring and/or changing of the behavior of operating system functions.

It is widely used in the antivirus industry to enable products to monitor for suspicious activity, but also has uses in virtualisation, performance monitoring, and more.

The code hooking issues discovered by enSilo cover 15 different products. Companies affected include: AVG, Kaspersky, MCAFEE, Symantec, TrendMicro, BitDefender, Citrix XenDesktop, Webroot, AVAST, Emsisoft, and Vera.

More worryingly, the company also said the flaw was discovered in three different hooking engines, including Microsoft Detours, which is considered the most popular commercial hooking agent on the market. This means there are potentially thousands more products and hundreds of thousands of users affected by the flaw, enSilo said.

Microsoft has said it plans to patch the issue in August. enSilo’s co-founder and CTO Udi Yavo and Tommer Bitton, co-founder and VP of research, said that won’t be an easy task. “In most cases fixing this issue will require recompilation of each product individually which makes patching extremely hard.”

Exploiting the flaw could result in attackers being able to inject code into any process running on the system, Yavo and Bitton wrote in a blog post.

“Most of these vulnerabilities allow an attacker to easily bypass the operating system and third-party exploit mitigations,” they said. “This means an attacker may be able to easily leverage and exploit these vulnerabilities that would otherwise be very difficult or even impossible, to weaponize. The worst vulnerabilities would allow the attacker to stay undetected on the victim’s machine or to inject code into any process in the system.”

“Companies using affected software should get patches from the vendors, if available, and demand patches if they aren’t yet available. Customers using software from the affected vendors should contact their vendors and demand that the software be patched,” the blog added.

The duo plan to present their findings at the upcoming Black Hat security conference in Las Vegas.






21/07/16    Çap et