Windows 10 Kernel Vulnerable To GhostHook Attack

Tom Jowitt,

CyberArk Labs finds GhostHook attack can bypass Microsoft’s protection of Windows 10 kernel

Researchers at CyberArk Labs have discovered a potentially very serious vulnerability with Microsoft’s most secure operating system, namely Windows 10.

The attack technique is being dubbed GhostHook, and allows attackers to completely bypass Microsoft PatchGuard.

PatchGuard (or Kernel Patch Protection) is the software that prevents the kernel of 64-bit versions of Microsoft Windows from being patched.

malware blocked stopCompletely Unnoticed

The discovery of GhostHook is pretty serious as well, because GhostHook can “completely bypass” PatchGuard and gain rootkit abilities on Windows 10 (64-bit) machines.

Being able to take control of a device at the kernel level is a hugely worrying development.

It could allow for example attackers to go completely unnoticed by all security measures that rely on getting reliable information from the kernel.

This potentially means that anti-virus packages, personal firewalls, HIPS (host intrusion prevention systems), and other endpoint security products, could be compromised.

And it could allow for the growth of 64-bit malware, typically used by nation states in advanced attacks.

“Up until now, we haven’t seen many successful rootkits on Windows 10 64-bit, thanks in large part to PatchGuard (Kernel Patch Protection),” the CyberArk Labs research team informed Silicon UK.

“This attack technique gives cyber attackers full control over a Windows 10 machine, including the ability to intercept anything on the system,” they added.

Currently, more than 400 million devices worldwide currently run on Windows 10, and the fact that GhostHook attackers could bury a rootkit in the kernel will no doubt cause sleepless nights over at Redmond.

CyberArk Labs is responsibly not revealing detailed information about the GhostHook vulnerability at the moment.

Kernel Compromise

This is not the first time that malware has been found to compromise the Windows kernel.

In 2009 for example, the Mebroot rootkit (also known as Sinowal and Torpig) once it infected a Windows PC, was able to deliver a payload that could record keystrokes, sniff HTTP and HTTPS Post requests, and inject arbitrary HTML into websites, particularly banking sites.

But Microsoft claims that Windows 10 is its most secure operating system to date, and if this new development allows for the proliferation of 64-bit malware (which is currently rarely seen in the commercial world) it could be a very concerning development indeed.

There is no word on either Microsoft is working on a patch for this vulnerability, but system admins are advised to pay close attention to July’s Patch Tuesday security update.

Quiz: Do you know all about security?