Microsoft PatchGuard flaw could let hackers plant rootkits on x64 Windows 10 boxen Flaws in Microsoft PatchGuard create a means for hackers to plant rootkits on Windows 10, 64-bit OS devices. The newly discovered attack technique, dubbed GhostHook, allows attackers to completely bypass PatchGuard, security researchers at CyberArk Labs warn. PatchGuard (formally known as Kernel Patch Protection) was …
This does indeed require you to have already gotten complete control over the device in question. Cyberark even say so in their own intro to the piece. So while it's an interesting post-exploit attack, it's not a big security problem in itself.
It's kinda like those guys who reported a Macbook 'vulnerability' which required you to remove the laptop's case to deploy them; while it's technically a vulnerability, the actual use-cases where it could occur requires the target to be so thoroughly compromised already that it's pointless to use it by that point. In other words, it's security researchers getting over-excited by purely theoretical problems.
The vulnerabilities I worry more about are macros, browser hijacking, and zero-days. An exploit that requires the miscreant to have physical access is not very worrisome. If some can physically get to your computer, you are toast and have more serious security problems. Plus any such physical access probably means your OS is not that critical.
"So while it's an interesting post-exploit attack, it's not a big security problem in itself."
Security in depth...
The problem everyone seems to be missing is that security software doesn't stop all malware, thus by definition you will get compromised systems. Knowing that there are fundamental holes in Windows x64 security (is this only Win10 x64, or does it date right back to XP x64?), really means that you can not be sure that a 'cleaned' system really is clean.
Now does this exploit appear in the NSA toolkit - would help explain why MS are laid back...
Also whilst "64-bit malware currently makes up less than 1 per cent of the current threat landscape. " may be true, the world is increasingly moving to 64-bit OS's...
"...vulnerability' which required you to remove the laptop's case..."
So, you are not planning on traveling with your laptop (in checked baggage) for the foreseeable future?
The only way to be "safe" from targeted attacks is to be as innocuous as possible. The only way to be safe from "shotgun" attacks is to adopt an Amish lifestyle.
if the article is right "PatchGuard [..] was developed to prevent Windows users patching the kernel, and by extension make the OS more secure by preventing hackers from running rootkits at the kernel level."
also from this blog post
https://blogs.msdn.microsoft.com/windowsvistasecurity/2006/08/12/an-introduction-to-kernel-patch-protection/
"Kernel Patch Protection does not prevent all viruses, rootkits, or other malware from attacking the operating system. It helps prevent one way to attack the system: patching kernel structures and code to manipulate kernel functionality. Protecting the integrity of the kernel is a fundamental steps in protecting the entire system from malicious attacks and from inadvertent reliability problems that result from patching."
Doesn't a system need to be owned regardless for a rootkit to install ? Seems like a cheap excuse from MS.
Not that I care either way, my history with computers says my risk factor for this kind of stuff is reaaally low (both in personal as well as business). Though linux is my primary OS, I do run and manage several windows systems as well.
As Micro-shaft downplays their newly discovered vulnerability, getting something into the kernel in the first place is not THAT difficult, as long as you can manage a kernel driver load by tricking the user into installing the thing. Yeah, it's a bit more difficult with the newer cert requirements (that effectively punish small-time developers in a failed attempt to stop the malware, kinda like GUN CONTROL nonsense), but there *are* workarounds that could be used by carefully written installers to get around all of that. A few boots later, and voila! COMPROMISED!
So tricking the user into installing something malicious is the only real hurdle.
[it's pretty much the same deal with ANY computer system, really]
This is not a vulnerability.
And if you can get someone to LOAD A DRIVER, that person is pretty darn owned regardless of the OS.
For your information, your shiny little Linux box (or whatever) gets just as pwned if you get someone to do 'insmod evil.ko' as root.
As you don't seem to be advocating for something like iOS where the user is considered hostile, I really fail to see what point you are making.
Hell, since you consider a PatchGuard bypass a vulnerability, you should consider other OSes (most of them) that lack any sort of PatchGuard equivalent really, really, vulnerable.
"... your shiny little Linux box (or whatever) gets just as pwned if you get someone to do 'insmod evil.ko' as root."
Sure, because the best way to have a user install your rootkit is to have them open a shell and type exact characters, after they have typed in the root password.
"50% of the time, it works all the time." - Brian
In a real life social engineering attack you would of course have the user run some application that does it, not instruct the user to run the actual commands. That's obviously the case for Windows as well - instead of manually adding a service to the registry and starting it you'd just hand him/her/it an application that does it.
"Sure, because the best way to have a user install your rootkit is to have them open a shell and type exact characters, after they have typed in the root password."
As you say, that would be one hell of a spear phishing job! You get someone to download a kernel module or save the attachment, find the console thingie, login as root on it and then run a pretty arcane command. Few Linux boxes have root passwords - OK: "sudo -i" will work on many if not most. The .ko will also need to actually work on the target system and avoid a few other mechanisms, eg module signing.
PatchGuard bypasses are literally as old as PatchGuard itself. By definition, it can always be bypassed.
Its primary purpose is to stop eg. AV vendors from hooking things they shouldn't in ways they aren't competent to. Both because it leads to complaints from end users ("durr windoze is so stupid look it just crashed again!!11") and also because it creates a whole lot of pain for MS since they have to test for and work around this sort of stupidity each time they release a kernel update.
Its secondary purpose is to make things trickier for rootkit authors, since even if you bypass it at one point there's no guarantee the bypass will keep working in the next update.
It has been pretty succesful at both these things, by the way. AV (and other driver) vendors no longer do the really stupid stuff (atleast not any of the widely deployed ones), and rootkits largely avoid the PatchGuard protected parts like the plague.
This post has been deleted by its author
[from the article] PatchGuard (formally known as Kernel Patch Protection) was developed to prevent Windows users patching the kernel, and by extension make the OS more secure less unsecure by preventing hackers from running rootkits at the kernel level.
FIFY, JtR*
* Just trolling Redmond
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
