Researchers find way to bypass all Windows security software


Security analyst firm Matousec claims it has revealed a vulnerability in Windows PCs that could leave mainstream security software all but powerless to prevent an attack.

The flaw exploits the way anti-virus packages use System Service Descriptor Table (SSDT) hooks to access the Windows kernel. Because of the inability of multi-core systems to track threads running on other processing cores, a simple bait-and-switch attack stands no chance of being detected if the timing is right.

Once an anti-virus program is satisfied a given piece of code poses no threat, it will give the code the green light to be executed. However, at this point there is a short window where the innocent code can be replaced by malicious code without the security software being any the wiser.

Matousec said that because the technique relies on two threads effectively contending for the same resource simultaneously, its success will depend on the execution state of the SSDT hooks and, of course, the malicious code will need to be present somewhere on the system in the first place. But Matousec reported that all its tests were successful within the first few tries.

Since the vulnerability has nothing to do with the scanning process itself, but is instead related to the very nature of Windows security software, Matousec said the technique is effective on "100 per cent of the tested products".

It provided a list of 34 security products it had confirmed as vulnerable, including popular packages from the likes of McAfee, Norton and Kaspersky, but said the list was only limited to 34 because its testers had run out of time.

The Matousec researchers claimed the attack is effective even from non-privileged accounts, and affects all versions of Windows.

However, the firm pointed out that while the exploit is simple in theory, it requires a large amount of code to be present on the system and so would only suit a very deliberate attack.

The team created a proof of concept labelled KHOBE (Kernel Hook Bypassing Engine) for internal testing purposes, and said thus far it has yet to discover any examples of the technique being used in the wild.