- Aug 30, 2012
- 6,598
Hooking is a coding technique that allows an application to tap into the process of another application. Many types of desktop applications enable and use this technique, and especially security products that need to monitor other applications for malicious activity.
Security firm enSilo discovered a problem with how a large number of software applications utilize the hooking technique, which leaves the door open for exploitation from malicious actors.
Vulnerabilities identified in 2015
Their research stems from a previous investigation which has identified problems in how AVG, McAfee, and Kaspersky handle the computer's memory space.
It is during that investigation when enSilo's team has noticed the problematic way in which antivirus engines hook into other applications and system APIs to monitor and scan for malicious activity.
Later on, they discovered that other kind of applications, such as virtualization and performance monitoring software are vulnerable to the same issue, and can be leveraged by malware in attacks meant to bypass security software and OS-level malware mitigation techniques.
Hundreds of applications affected, millions of users exposed
According to enSilo, the following products have been notified and have started patching their products: AVG, Kaspersky, McAfee, Symantec, BitDefender, Citrix XenDesktop, WebRoot, Emsisoft, Vera, and Avast.
Additionally, any application that uses the Microsoft Detours hooking engine is also affected. This includes a huge list of products from over 100 ISVs (independent software vendors), along with almost all of Microsoft own products, such as the Office suite.
Patching all applications implies a recompilation of all affected products and distributing new versions, which explains why enSilo waited for so much to publicly disclose the issues.
Microsoft said it will update its apps and the Detours engine in its August Patch Tuesday.
In the meantime, the researchers are set to present their findings at this year's Black Hat security conference, scheduled to take place in Las Vegas at the start of August. A more technical explanation can be read here, written by Udi Yavo and Tomer Bitton of enSilo.
Security firm enSilo discovered a problem with how a large number of software applications utilize the hooking technique, which leaves the door open for exploitation from malicious actors.
Vulnerabilities identified in 2015
Their research stems from a previous investigation which has identified problems in how AVG, McAfee, and Kaspersky handle the computer's memory space.
It is during that investigation when enSilo's team has noticed the problematic way in which antivirus engines hook into other applications and system APIs to monitor and scan for malicious activity.
Later on, they discovered that other kind of applications, such as virtualization and performance monitoring software are vulnerable to the same issue, and can be leveraged by malware in attacks meant to bypass security software and OS-level malware mitigation techniques.
Hundreds of applications affected, millions of users exposed
According to enSilo, the following products have been notified and have started patching their products: AVG, Kaspersky, McAfee, Symantec, BitDefender, Citrix XenDesktop, WebRoot, Emsisoft, Vera, and Avast.
Additionally, any application that uses the Microsoft Detours hooking engine is also affected. This includes a huge list of products from over 100 ISVs (independent software vendors), along with almost all of Microsoft own products, such as the Office suite.
Patching all applications implies a recompilation of all affected products and distributing new versions, which explains why enSilo waited for so much to publicly disclose the issues.
Microsoft said it will update its apps and the Detours engine in its August Patch Tuesday.
In the meantime, the researchers are set to present their findings at this year's Black Hat security conference, scheduled to take place in Las Vegas at the start of August. A more technical explanation can be read here, written by Udi Yavo and Tomer Bitton of enSilo.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
