Researchers have discovered flaws in products from some of the world’s biggest security firms that could potentially expose hundreds of thousands of users to attack.
The flaws all revolve around incorrect implementation of code hooking, according to researchers at data protection firm enSilo. Code hooking is a technique that enables the monitoring and/or changing of the behavior of operating system functions.
It is widely used in the antivirus industry to enable products to monitor for suspicious activity, but also has uses in virtualisation, performance monitoring, and more.
The code hooking issues discovered by enSilo cover 15 different products. Companies affected include: AVG, Kaspersky, McAfee, Symantec, Trend Micro, BitDefender, Citrix XenDesktop, Webroot, AVAST, Emsisoft, and Vera. The research began after enSilo found a code hooking flaw in an AVG product. AVG issued a patch for that flaw in March this year.
More worryingly, the company also said the flaw was discovered in three different hooking engines, including Microsoft Detours, which is considered the most popular commercial hooking agent on the market. This means there are potentially thousands more products and hundreds of thousands of users affected by the flaw, enSilo said.
Microsoft has said it plans to patch the issue in August. enSilo’s co-founder and CTO Udi Yavo and Tommer Bitton, co-founder and VP of research, said that won’t be an easy task. “In most cases fixing this issue will require recompilation of each product individually which makes patching extremely hard.”
Exploiting the flaw could result in attackers being able to inject code into any process running on the system, Yavo and Bitton wrote in a blog post.
“Most of these vulnerabilities allow an attacker to easily bypass the operating system and third-party exploit mitigations,” they said. “This means an attacker may be able to easily leverage and exploit these vulnerabilities that would otherwise be very difficult, or even impossible, to weaponize. The worst vulnerabilities would allow the attacker to stay undetected on the victim’s machine or to inject code into any process in the system.”
“Companies using affected software should get patches from the vendors, if available, and demand patches if they aren’t yet available. Customers using software from the affected vendors should contact their vendors and demand that the software be patched,” the blog added.
The duo plan to present their findings at the upcoming Black Hat security conference in Las Vegas.
Eric Klonowski, senior advanced threat research analyst at Webroot, said in a statement that Webroot had fully patched this vulnerability.
“enSilo contacted us about this vulnerability during the last week of December, and our team had it corrected the following week. As security is our top priority, all Webroot customers received this update from the cloud immediately after release.”
Kaspersky also confirmed that it had patched the flaw. A spokesperson told InfoSecurity Magazine: "The vulnerability, disclosed by enSilo, was addressed in a software update in September 2015, and our specialists have no evidence that this vulnerability was exploited in the wild. We would like to thank enSilo for reporting this vulnerability to us in a responsible manner."
Symantec and Avast both confirmed to InfoSecurity Magazine that they had fixed the issue. BitDefender has also said its products have been patched against this vulnerability.
Trend Micro said it has been working with the researchers to investigate the issue. "Upon Trend Micro’s technical review, this issue was found to potentially affect only one of our consumer-focused products. No business or enterprise class products are known to be affected at this time," the company said in a statement.
Trend Micro added that it should have a patch out before the Black Hat conference and that, "there is no evidence that suggests that the proof of concept exploits reported to us were ever used publicly."
Photo © Gil C/Shutterstock.com