Jump to content

Recommended Posts

Posted
Windows kernel exploit can bypass all security

Security firm Bromium Labs has discovered a way to use an old Windows kernel exploit to bypass popular anti-malware and other security software.

The method, known as Layer on Layer (LOL) attacks, allow hackers to bypass multiple layers of security in one fell swoop, without anyone being the wiser.

The technique affects application sandboxes, anti-virus software, rootkit detectors, host-based intrusion prevention systems (HIPS), Enhanced Mitigation Experience Toolkit (EMET), and Supervisor Mode Execution Prevention (SMEP), even if they are stacked upon one another. The exploit will either disable them or bypass them completely.

The attack takes advantage of the EPATHOBJ Windows kernel vulnerability, which was discovered last year and largely ignored.

Exploiting the vulnerability gives a hacker system privileges, allowing them to turn off or otherwise disrupt security. Malware can then be run freely. Worse yet, the hacker goes unnoticed.

Kernel integrity

Bromium will showcase its findings at Infosecurity Europe and BSides London, with a demonstration of how the exploit works.

The firm states that even layered approaches to security, advocated by many top security professionals, have weaknesses. It says that virtually all endpoint technologies are reliant on the integrity of the kernel.

"While many were aware of the discovery of the TDL4 rootkit rumoured to be using kernel exploit code at the end of last year, few paid it any serious attention. And that was a huge error of judgement," said Rahul Kashyap, Head of Security Research at Bromium.

"We discuss that such vulnerabilities can prove lethal to enterprise security and likely go unnoticed for a long periods of time. By simply 'tweaking' the exploit, we found we could bypass all the different layers of security software that an enterprise might deploy on an end user machine."

Bromium believes many more zero-day vulnerabilities exist in the millions of lines of code in the Windows kernel.

mf.gif


rc.img
rc.img
rc.img

a2.imga2t.imgbr67n275ItQ

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.