Select Page

Researchers at matousec.com have reported a bait-and-switch vulnerability in the 30 leading anti-malware products on the market today including VIPRE. The vulnerability exploits Windows driver hooks in anti-virus programs, sending them a piece of non-malicious code to bypass security checks then exchanging it for malicious executables.

Although their report has resulted in screaming headlines worldwide, researchers have pointed out that the vulnerability has existed for years without anyone exploiting it. Also, to be successful, an attacker would need the ability to run code on a computer (in which case a victim has much larger problems than this) and the exploit code is very large.

Sunbelt Software Chief Technology Officer Eric Sites said: “The matousec.com blog published a possible attack method that could be used for researching actual vulnerabilities. All of the security products he listed may or may not be vulnerable to this method of attack. VIPRE uses SSDT hooks only for older version of Windows and then only sparingly where APIs provided by Microsoft don’t exist or are too buggy to use. VIPRE does not use SSDT hooks for 64-bit versions of Windows because of Microsoft’s PatchGuard technology and Microsoft new APIs for security software. That said we are reviewing our drivers to make sure our products are not vulnerable to the method of attack.

“If any of the vendors’ security products do have an actual vulnerabilities to this attack method it is very sad that matousec.com did not use responsible disclosure and give the security vendors time to review their products before publicly disclosing this information and putting everyone at risk. matousec.com notified us about the attack method and possible vulnerability on April 20th and then promptly released this information on May 5th which does not give any vendor time to review tens or hundreds of thousands lines of code to hunt for possible vulnerabilities. And no time at all to fix, test and deploy updated versions of security products. This is very sad and very irresponsible.”

The Register put the vulnerability in perspective in the eighth paragraph of their story:

“Still, the exploit has its limitations. It requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC.”

Story here: “New attack bypasses virtually all AV protection”

Dwight Silverman on the Houston Chronicle’s TechBlog puts the vulnerability in further perspective. He quotes Lucian Constantin of Softpedia: “There is still a debate about the impact of this vulnerability, especially since the underlying problem has been known for years, yet no practical attack has been detected in the wild. On the other hand, it is also true that multi-core processors, which drastically increase the success rate of this attack, have since become widespread in desktop computers. Nevertheless, from information we received in confidence, some antivirus vendors were already planning to stop using SSDT hooks in the next version of their products, since before this research came out.”

Blog here: “In theory, your antivirus software is worthless”

Tom Kelchner