Attack Tactic Circumvents Windows Security Software

Several researchers with antivirus companies, including Huger, noted that security software isn't defenseless against attempts to use argument-switch, in large part because attackers would still need to plant malware on a machine, and on-demand scanning would theoretically block any malicious downloads, at least of known threats.

"Any malware that we detect by our antivirus will still be blocked, just like it always was," said F-Secure's Hypponen. "So the issue only affects new, unknown malware that we do not yet have a detection signature for."

Huger expects that attacks using argument-switch will target 32-bit Windows XP machines, both because that operating system continues to dominate the Windows ecosystem, and because it lacks the PatchGuard kernel protection that Microsoft added to 64-bit versions of XP in 2005, then later to 64-bit editions of Vista and Windows 7.

"They may not be exclusive to Windows XP, but they'll be more prevalent under XP," Huger said.

Microsoft faced resistance from several antivirus companies, notably Symantec and McAfee, before the release of Windows Vista. They complained that PatchGuard would prevent them from delivering key functions in their Vista-compatible products, including behavior-based virus detection, host-based intrusion prevention and software tamper protection. Microsoft relented and eventually made security application programming interfaces (API) available to allow vendors to do what they needed without accessing the kernel.

Those APIs first appeared in Windows Vista SP1 in 2008.

Matousec claimed that 64-bit versions of Windows boasting PatchGuard could be vulnerable in some instances. "[This] will work against all user mode hooks and it will also work against the kernel mode hooks if they are installed, for example, after disabling PatchGuard," Matousec's paper stated.

Microsoft did not immediately reply to a request for comment on Matousec's claim.

Other problems security vendors face in blocking argument-switch attacks could arise if or when they release updates, argued Huger. "Kernel driver programming is pretty tricky," he said. "Redeployment [of updates] will complicate things. Any vendor nervy enough to put out new kernel drivers will have to do a pretty significant gut check. If something goes wrong, millions of machines could be blue-screened."

Huger pointed to the recent fiasco with a faulty McAfee signature update that crashed thousands of PCs running the company's security software as an example. "Enterprises would be very reticent to update because of the risk," he said.

Jeremy Kirk of the IDG News Service contributed to this story.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.

Read more about Security Hardware and Software in Computerworld's Security Hardware and Software Knowledge Center.

Subscribe to the Best of TechHive Newsletter

Comments