Code Hooking Opens Security Product Vulnerability

A digital padlock. Security, privacy

Fresh concern raised about the security of the very products designed to protect users from cyber nastiness

Security vendors are once again in the dock after researchers revealed that products that utilise “code hooking” have potentially opened the door to hackers.

It comes after researchers at Google’s Project Zero team last month said that Symantec had really “dropped the ball” after it uncovered a series of critical vulnerabilities in Symantec’s antivirus products.

Captain Hook

The revelation that end-point security vendors, specifically anti-virus (AV) products, and anti-exploitation products contain a serious vulnerability was made by data protection company enSilo in a blog post.

“We found 6(!) different common security issues that stem from incorrect implementation of code hooking and injections techniques,” the researchers warned. “These issues were found in more than 15 different products.”

They intend to provide their full technical findings at the Black Hat 2016 security conference next month in Las Vegas.

“User-mode hooks are used by most of the end-point security vendors today,” the enSilo researchers warned. “ Beyond their usage in security, hooks are used in other invasive applications such as Application Performance Management (APM) technologies to track performance bottlenecks.

But what exactly is hooking?

“Hooking itself is a very intrusive coding operation where function calls (mainly operating system functions) are intercepted in order to alter or augment their behaviour,” wrote the researchers. “For our research, we investigated more than a dozen popular security products. Our findings were depressing – we revealed six different security problems and vulnerabilities stemming from this practice.”

security vulnerability Shutterstock - © Andy Dean PhotographyHooks essentially allow intrusive software to intercept and monitor sensitive API calls, and is widely used in security products to detect malicious activity. The researchers said that most anti-exploitation solutions monitor memory allocation functions, such as VirtualAlloc and VirtualProtect, in an attempt to detect vulnerability exploitation.

But hooks are also used by the bad guys in their malware, most notably in man-in-the-browser (MITM) attacks. But it should be noted that hooks are also in other types of products including virtualisation and performance monitoring applications.

“The most common form of hooking in real-life products, especially security products, is inline hooking,” said the researchers. “Inline hooking is performed by overwriting the first few instructions in the hooked function and redirecting it to the hooking function.

A more detailed breakdown of the vulnerability is provided in their blog post, but the researchers reported that products from AVG, Kaspersky Lab, McAfee/Intel Security, Symantec, Trend Micro, Bitdefender, Citrix, Avast, Emsisoft and others, are all affected by the flaw.

Unsecure Security?

This is not the first time that flaws have been found in security products. Besides last month’s discovery of flaws in Symantec products, other research has identified flaws with other legitimate security and enterprise products.

Last September for example some of the leading security products on the market were reportedly compromised by a raft of dangerous vulnerabilities.

FireEye’s security product was apparently hacked by Los Angeles-based researcher Kristian Erik Hermansen, who revealed on Twitter that he had found ‘at least four’ security flaws in the company’s core product.

Kaspersky’s anti-virus product was also reportedly hacked by Google security researcher Travis Ormandy, who claimed on Twitter to have found “a remote, zero interaction SYSTEM exploit, in default config.

Are you a security pro? Try our quiz!