Windows kernel exploits can kill all security, says Bromium


Userlevel 7
Badge +54
Exploits of a Windows operating system kernel vulnerability can enable attackers to bypass just about every security software product, claims security firm Bromium Labs.
The firm's researchers found that small adjustments to the recent public exploit of EPATHOBJ Windows kernel vulnerability can be used to bypass a range of security controls.
These include application sandboxes, anti-virus, host-based intrusion prevention, rootkit detectors, Microsoft's Enhanced Mitigation Experience Toolkit (EMET) and Intel's Supervisor Mode Execution Protection (SMEP).
According to the researchers, attackers can exploit the vulnerability to gain system privileges to disable security technologies and run any malicious code or compromise other machines on the same network.
 
Full Article
 
Would WSA be OK @ 

7 replies

Userlevel 7
Badge +56
@ wrote:
Exploits of a Windows operating system kernel vulnerability can enable attackers to bypass just about every security software product, claims security firm Bromium Labs.
The firm's researchers found that small adjustments to the recent public exploit of EPATHOBJ Windows kernel vulnerability can be used to bypass a range of security controls.
These include application sandboxes, anti-virus, host-based intrusion prevention, rootkit detectors, Microsoft's Enhanced Mitigation Experience Toolkit (EMET) and Intel's Supervisor Mode Execution Protection (SMEP).
According to the researchers, attackers can exploit the vulnerability to gain system privileges to disable security technologies and run any malicious code or compromise other machines on the same network.
 
Full Article
 
Would WSA be OK @ 
Not sure, I'll have to check.  If they can get into the kernel, then that's pretty hard to get around.  
It is true that low level kernel exploits can bypass pretty much any security product on the market. Fortunately there aren't many exploits of this type in modern Windows versions and they are very difficult to perform.
 
WSA is well equipped to handle this type of attack since the WSA agent itself performs its work at a very low level of the operating system. In most cases, we will be able to detect the attempted exploit and prevent malware of this type from successfully infecting an endpoint.
Userlevel 7
Badge +54
Thank you for the quick response @ and @ .  It is good to know that WSA works at a low enough level to prevent the attack.
Userlevel 7
Thanks guys!
Even the user who already has some experience with malware feels more comfortable with this awareness ;)
Userlevel 7
Badge +6
@ I'm not sure what you're claiming here, are you saying WSA has active anti-exploit in place? To what extent? Or are you saying a generalized reduction in surface area through sandboxing sensitive system interfaces that may help in some cases?
 
But, fundamentally, it's important for everyone to understand there is no perfect security. Understand that a motivated attacker will evade standard defenses, especially if they have a kernel vuln, unless you're going to incredible and novel lengths that are not transparent to everyday use. Even then...
 
WSA is a great tool. It's important to have, and I support it. But it is a tool. It is part of a solution to various threats. It is not The Solution, in the grandest sense. It will be defeated. And that's okay. It's the rate of defeat and resulting remediation of defeat, not the promise of non-defeat, that is highlighted and sold. (Except that one stupid campaign where they claimed they were 100% effective against new malware or something - marketing obviously had too much caffeine under leadership who enjoyed issuing literally impossible, and proven incorrect, claims to a technical audience that knows when a company's product is being thrown under a bus through inept promotion. I think we can all relate, don't worry.)
 
The complexity of computer security is interpreted all wrong by the general public. They think computers are a discrete system that are isolatable and fully understandable by a human who can see and manage all flaws and make assurances about those flaws being made zero. Classically, they are right. But it doesn't translate. A computer is a collection of systems the result of billions of hours of cumulative work in specialties ranging the spectrum of human intelligence, involving multiple generations of diverse genius, with security composing only a minuscule amount of effort overall. There is no assurance. There is only stemming the tide of defeat.
 
I'm super fun at parties.
 
If you don't know what the heck I'm talking about, it's ok. I'm pretty sure nobody does. That's why the internet is so cool. You can keep talking and someone will eventually probably read it maybe.
Userlevel 7
Badge +54
I don't think there never be a perfect system because no matter how secure any sysytem is there will always be someone who will try and succeed sometimes to get into it.
I am glad that Brendenguy says that "In most cases, we will be able to detect the attempted exploit." Like I say, nothing is perfect and to try claim otherwise gives the general public a false sens of security.
 
I know what you are talking about explanoit, not always but this time yes 😉
Hi explanoit,
 
I apologize for the delay and for not being clear in my first post. I am not saying that WSA functions as an anti-exploit or that we will always be able to prevent a motivated attacker from compromising a system using kernel exploits. However, I am saying that WSA operates at a very low level on the system and will often be able to detect attempted kernel-level exploits made by malware and prevent those malicious programs from doing their work. A good example of this is the TDL-4 kernel-level rootkit that was prevalent a few years back. As long as we were installed beforehand, WSA was able to detect and block this infection from compromising a system in most cases. We can similarly detect and block many other kernel-level infections.
 
As you said, it is important to understand that no security product is perfect and unfortunately there are always ways around the protection they provide. A skilled, resourceful, and motivated hacker with the ability to utilize kernel-level exploits will likely evade most (if not all) security products on the market, at least initially. A brand new infection utilizing a little known and undocumented kernel exploit will likely evade us for a time. Fortunately we are always on the lookout for new malware of this type and are constantly making adjustments to the product in order to defeat them.
 

Reply