Patch frenzy imminent, say researchers, thanks to bad use of code hooking
Updated Hundreds of security products may not be up to the job, researchers say, thanks to flawed uses of code hooking.
The research is the handiwork of EnSilo duo Udi Yavo and Tommer Bitton, who disclosed the bugs in anti-virus and Windows security tools ahead of their presentation at the Black Hat Las Vegas conference next month.
The pair says 15 products including those from AVG, Symantec, and McAfee are affected.
Scores more may be vulnerable thanks to their use of Microsoft’s Detours, code Redmond says is used for “re-routing Win32 APIs underneath applications [and] is licensed by over 100 ISVs and used within nearly every product team at Microsoft.”
The researchers did not specify if Microsoft’s enhanced mitigation experience toolkit (EMET) is affected.
Attackers would already need access to a system to reap the benefits of the vulnerabilities and neuter the security platforms running on the target system.
“We found six different common security issues that stem from incorrect implementation of code hooking and injections techniques,” the pair say.
“These issues were found in more than 15 different products. Practically, it means that thousands of products are affected.”
Microsoft is brewing a patch for Detours due to drop next month, which will help to address matters.
The pair examined intrusive user-mode hooks common across end point security products and man-in-the-middle malware alike, namely the Duqu trojan, making the “depressing” finding that many are vulnerable to exploitation.
Patching will be a slow process of recompiling affected security software, the pair say. ®
Updated to add
Symantec contacted us to let us know that it provided a fix to customers back in March.
The security advisory can be found here.
Sponsored: Global DDoS threat landscape report