enSilo identifies six issues across hundreds of products

Jul 19, 2016 21:05 GMT  ·  By

Six vulnerabilities in the way some software vendors utilize the "code hooking" technique expose their products to exploitation from malware that can leverage these security flaws to bypass security mitigations and compromise targeted devices.

Hooking is a coding technique that allows an application to tap into the process of another application. Many types of desktop applications enable and use it, and especially security products that need to monitor other apps for malicious activity.

Security firm enSilo discovered a problem with how a large number of software applications utilize the hooking technique, which leaves the door open for exploitation from malicious actors.

Vulnerabilities identified in 2015

Their research stems from a previous investigation that identified problems in how AVG, McAfee, and Kaspersky handle the computer's memory space.

It is during that investigation that enSilo's team noticed the problematic way in which antivirus engines hook into other applications and system APIs to monitor and scan for malicious activity.

Later on, they discovered that other kind of applications, such as virtualization and performance monitoring software, are vulnerable to the same issue and can be leveraged by malware in attacks meant to bypass security software and OS-level malware mitigation techniques.

Hundreds of applications affected, millions of users exposed

According to enSilo, the following companies have been notified and have started patching their products: AVG, Kaspersky, McAfee, Symantec, BitDefender, Citrix XenDesktop, WebRoot, Emsisoft, Vera, and Avast.

Additionally, any application that uses the Microsoft Detours hooking engine is also affected. This includes a huge list of products from over 100 ISVs (independent software vendors), along with almost all of Microsoft own products, such as the Office suite.

Patching all applications implies a recompilation of all affected products and distributing new versions, which explains why enSilo waited for so much to publicly disclose the issues.

Microsoft has said it will update its apps and the Detours engine in its August Patch Tuesday.

In the meantime, the researchers are set to present their findings at this year's Black Hat security conference, scheduled to take place in Las Vegas at the start of August. A more technical explanation can be read here, written by Udi Yavo and Tomer Bitton of enSilo.