'Thousands' of products vulnerable to code hooking abuse

Bad implementation of the low-level code hooking technique by Microsoft and third-party security vendors has left millions of users open to attacks that bypass mitigation measures - some for up to a decade, researchers have found.

Hooking is used by different kinds of software to monitor as well as to intercept and change the behaviour of operating system functions, and if needed, to inject code.

Security software uses code hooking extensively to check for malicious activity on systems.

EnSilo researchers Tomer Bitton and Udi Yavo said they looked at the hooking engines and injection techniques used by more than 15 different products such as popular antivirus software from AVG, Kaspersky, McAfee, Symantec, and Bitdefender; data leak protection; anti-exploitation; and host intrusion protection systems.

One of the hooking engines examined was Microsoft Detours - which is used internally by Microsoft as well as by over 100 independent software vendors.

Detours and the other products studied were found to contain six common vulnerabilities that could be used by attackers to bypass operating system and third-party exploit mitigations, the researchers said.

"Practically it means that probably thousands of products are affected, including [Microsoft] Office, meaning that millions of devices are affected by their vulnerability," the researchers said.

Code hooking could be abused by malware to implement man-in-the-browser interception attacks, for instance. The Duqu spyware used a method that security vendors also utilise - entry point patching - to inject its payload into victims' systems. 

"The worst vulnerabilities would allow the attacker to stay undetected on the victim’s machine or to inject code into any process in the system," the researchers said.

Microsoft has scheduled a patch for Detours to arrive next month, but Bitton and Yavo said fixing the problems in products using code hooking is hard as it requires recompilation of each individual vulnerable application.

The researchers said they notified the affected vendors throughout the past eight months, and said some have only fixed the vulnerability recently.

Bitton and Yavo will present their findings on code hooking security issues at the annual Black Hat conference next month, in Las Vegas, United States.