back to article Microsoft PatchGuard flaw could let hackers plant rootkits on x64 Windows 10 boxen

Flaws in Microsoft PatchGuard create a means for hackers to plant rootkits on Windows 10, 64-bit OS devices. The newly discovered attack technique, dubbed GhostHook, allows attackers to completely bypass PatchGuard, security researchers at CyberArk Labs warn. PatchGuard (formally known as Kernel Patch Protection) was …

  1. jelabarre59 Silver badge

    Re: Why the delay?

    Redmond shrugs, says PC would already need to be thoroughly pwned

    Isn't "thoroughly pwned" synonymous with "Windows Boxen"?

  2. Naselus

    Um....

    This does indeed require you to have already gotten complete control over the device in question. Cyberark even say so in their own intro to the piece. So while it's an interesting post-exploit attack, it's not a big security problem in itself.

    It's kinda like those guys who reported a Macbook 'vulnerability' which required you to remove the laptop's case to deploy them; while it's technically a vulnerability, the actual use-cases where it could occur requires the target to be so thoroughly compromised already that it's pointless to use it by that point. In other words, it's security researchers getting over-excited by purely theoretical problems.

    1. a_yank_lurker Silver badge

      Re: Um....

      The vulnerabilities I worry more about are macros, browser hijacking, and zero-days. An exploit that requires the miscreant to have physical access is not very worrisome. If some can physically get to your computer, you are toast and have more serious security problems. Plus any such physical access probably means your OS is not that critical.

      1. Naselus

        Re: Um....

        Yup, pre-exploit vectors. Things it would be really handy for security researchers to actually spend their time looking at, rather than things which require the computer to have already been broken into and completely overrun.

    2. Roland6 Silver badge

      Re: Um....

      "So while it's an interesting post-exploit attack, it's not a big security problem in itself."

      Security in depth...

      The problem everyone seems to be missing is that security software doesn't stop all malware, thus by definition you will get compromised systems. Knowing that there are fundamental holes in Windows x64 security (is this only Win10 x64, or does it date right back to XP x64?), really means that you can not be sure that a 'cleaned' system really is clean.

      Now does this exploit appear in the NSA toolkit - would help explain why MS are laid back...

      Also whilst "64-bit malware currently makes up less than 1 per cent of the current threat landscape. " may be true, the world is increasingly moving to 64-bit OS's...

    3. Mike 16 Silver badge

      Re: Um....

      "...vulnerability' which required you to remove the laptop's case..."

      So, you are not planning on traveling with your laptop (in checked baggage) for the foreseeable future?

      The only way to be "safe" from targeted attacks is to be as innocuous as possible. The only way to be safe from "shotgun" attacks is to adopt an Amish lifestyle.

  3. Anonymous Coward
    Alert

    It's good that the exploit has a cute name, but without a logo, no-one will take it seriously. Looks like the domain's still free too. Sloppy work, CyberArk Labs.

  4. Nate Amsden

    sounds like they need to patch it

    if the article is right "PatchGuard [..] was developed to prevent Windows users patching the kernel, and by extension make the OS more secure by preventing hackers from running rootkits at the kernel level."

    also from this blog post

    https://blogs.msdn.microsoft.com/windowsvistasecurity/2006/08/12/an-introduction-to-kernel-patch-protection/

    "Kernel Patch Protection does not prevent all viruses, rootkits, or other malware from attacking the operating system. It helps prevent one way to attack the system: patching kernel structures and code to manipulate kernel functionality. Protecting the integrity of the kernel is a fundamental steps in protecting the entire system from malicious attacks and from inadvertent reliability problems that result from patching."

    Doesn't a system need to be owned regardless for a rootkit to install ? Seems like a cheap excuse from MS.

    Not that I care either way, my history with computers says my risk factor for this kind of stuff is reaaally low (both in personal as well as business). Though linux is my primary OS, I do run and manage several windows systems as well.

  5. bombastic bob Silver badge
    Devil

    ticking time bomb... tick tick tick tick BOOM!

    As Micro-shaft downplays their newly discovered vulnerability, getting something into the kernel in the first place is not THAT difficult, as long as you can manage a kernel driver load by tricking the user into installing the thing. Yeah, it's a bit more difficult with the newer cert requirements (that effectively punish small-time developers in a failed attempt to stop the malware, kinda like GUN CONTROL nonsense), but there *are* workarounds that could be used by carefully written installers to get around all of that. A few boots later, and voila! COMPROMISED!

    So tricking the user into installing something malicious is the only real hurdle.

    [it's pretty much the same deal with ANY computer system, really]

    1. patrickstar

      Re: ticking time bomb... tick tick tick tick BOOM!

      This is not a vulnerability.

      And if you can get someone to LOAD A DRIVER, that person is pretty darn owned regardless of the OS.

      For your information, your shiny little Linux box (or whatever) gets just as pwned if you get someone to do 'insmod evil.ko' as root.

      As you don't seem to be advocating for something like iOS where the user is considered hostile, I really fail to see what point you are making.

      Hell, since you consider a PatchGuard bypass a vulnerability, you should consider other OSes (most of them) that lack any sort of PatchGuard equivalent really, really, vulnerable.

      1. Anonymous Coward
        Anonymous Coward

        Re: ticking time bomb... tick tick tick tick BOOM!

        "... your shiny little Linux box (or whatever) gets just as pwned if you get someone to do 'insmod evil.ko' as root."

        Sure, because the best way to have a user install your rootkit is to have them open a shell and type exact characters, after they have typed in the root password.

        "50% of the time, it works all the time." - Brian

        1. patrickstar

          Re: ticking time bomb... tick tick tick tick BOOM!

          In a real life social engineering attack you would of course have the user run some application that does it, not instruct the user to run the actual commands. That's obviously the case for Windows as well - instead of manually adding a service to the registry and starting it you'd just hand him/her/it an application that does it.

        2. gerdesj Silver badge

          Re: ticking time bomb... tick tick tick tick BOOM!

          "Sure, because the best way to have a user install your rootkit is to have them open a shell and type exact characters, after they have typed in the root password."

          As you say, that would be one hell of a spear phishing job! You get someone to download a kernel module or save the attachment, find the console thingie, login as root on it and then run a pretty arcane command. Few Linux boxes have root passwords - OK: "sudo -i" will work on many if not most. The .ko will also need to actually work on the target system and avoid a few other mechanisms, eg module signing.

          1. patrickstar

            Re: ticking time bomb... tick tick tick tick BOOM!

            All these gotchas apply to Windows as well, of course... just that module signing is mandatory and you either have to stick to the documented ways of doing things in kernel mode or bypass PG/KPP.

  6. patrickstar

    PatchGuard bypasses are literally as old as PatchGuard itself. By definition, it can always be bypassed.

    Its primary purpose is to stop eg. AV vendors from hooking things they shouldn't in ways they aren't competent to. Both because it leads to complaints from end users ("durr windoze is so stupid look it just crashed again!!11") and also because it creates a whole lot of pain for MS since they have to test for and work around this sort of stupidity each time they release a kernel update.

    Its secondary purpose is to make things trickier for rootkit authors, since even if you bypass it at one point there's no guarantee the bypass will keep working in the next update.

    It has been pretty succesful at both these things, by the way. AV (and other driver) vendors no longer do the really stupid stuff (atleast not any of the widely deployed ones), and rootkits largely avoid the PatchGuard protected parts like the plague.

  7. This post has been deleted by its author

  8. Ropewash
    Joke

    On the upside...

    Maybe it could be used to block telemetry at the kernel level.

    Poison can become a medicine and all that.

  9. Anonymous Coward
    Anonymous Coward

    Slight correction..

    [from the article] PatchGuard (formally known as Kernel Patch Protection) was developed to prevent Windows users patching the kernel, and by extension make the OS more secure less unsecure by preventing hackers from running rootkits at the kernel level.

    FIFY, JtR*

    * Just trolling Redmond

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019