Code Hooking Opens Security Product Vulnerability

Security vendors are once again in the dock after researchers revealed that products that utilise “code hooking” have potentially opened the door to hackers.

It comes after researchers at Google’s Project Zero team last month said that Symantec had really “dropped the ball” after it uncovered a series of critical vulnerabilities in Symantec’s antivirus products.

Captain Hook

The revelation that end-point security vendors, specifically anti-virus (AV) products, and anti-exploitation products contain a serious vulnerability was made by data protection company enSilo in a blog post.

“We found 6(!) different common security issues that stem from incorrect implementation of code hooking and injections techniques,” the researchers warned. “These issues were found in more than 15 different products.”

They intend to provide their full technical findings at the Black Hat 2016 security conference next month in Las Vegas.

“User-mode hooks are used by most of the end-point security vendors today,” the enSilo researchers warned. “ Beyond their usage in security, hooks are used in other invasive applications such as Application Performance Management (APM) technologies to track performance bottlenecks.

But what exactly is hooking?

“Hooking itself is a very intrusive coding operation where function calls (mainly operating system functions) are intercepted in order to alter or augment their behaviour,” wrote the researchers. “For our research, we investigated more than a dozen popular security products. Our findings were depressing – we revealed six different security problems and vulnerabilities stemming from this practice.”

Hooks essentially allow intrusive software to intercept and monitor sensitive API calls, and is widely used in security products to detect malicious activity. The researchers said that most anti-exploitation solutions monitor memory allocation functions, such as VirtualAlloc and VirtualProtect, in an attempt to detect vulnerability exploitation.

But hooks are also used by the bad guys in their malware, most notably in man-in-the-browser (MITM) attacks. But it should be noted that hooks are also in other types of products including virtualisation and performance monitoring applications.

“The most common form of hooking in real-life products, especially security products, is inline hooking,” said the researchers. “Inline hooking is performed by overwriting the first few instructions in the hooked function and redirecting it to the hooking function.

A more detailed breakdown of the vulnerability is provided in their blog post, but the researchers reported that products from AVG, Kaspersky Lab, McAfee/Intel Security, Symantec, Trend Micro, Bitdefender, Citrix, Avast, Emsisoft and others, are all affected by the flaw.

Unsecure Security?

This is not the first time that flaws have been found in security products. Besides last month’s discovery of flaws in Symantec products, other research has identified flaws with other legitimate security and enterprise products.

Last September for example some of the leading security products on the market were reportedly compromised by a raft of dangerous vulnerabilities.

FireEye’s security product was apparently hacked by Los Angeles-based researcher Kristian Erik Hermansen, who revealed on Twitter that he had found ‘at least four’ security flaws in the company’s core product.

Kaspersky’s anti-virus product was also reportedly hacked by Google security researcher Travis Ormandy, who claimed on Twitter to have found “a remote, zero interaction SYSTEM exploit, in default config.

Are you a security pro? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

BNP Paribas Joins JP Morgan Blockchain Trading Network

French bank BNP Paribas becomes first European bank to join JP Morgan's blockchain-based Onyx Digital…

14 hours ago

SEC Held Off Elon Musk Enforcement ‘Due To Court Fears’

US securities regulators may have refrained from enforcement actions against Elon Musk due to discouraging…

15 hours ago

Snap Earnings Warning Triggers Tech Sell-Off

Investors spooked after Snap warns of deteriorating economic conditions, says earnings now 'below the low…

16 hours ago

Russian Operator Discounts Smartphones As Sanctions Bite

Biggest Russian mobile operator MTS begins selling discounted and second-hand smartphones as Russians hit by…

17 hours ago

Clearview AI Fined £7.5m Over Facial Recognition Data

UK Information Commissioner's Office orders controversial facial recognition firm Clearview AI to delete data it…

18 hours ago

Airbnb To Pull Out Of China Amidst ‘Pandemic Challenges’

Airbnb to pull out of China as ongoing zero-Covid policy places severe restrictions on domestic…

19 hours ago