Hello,
I’m a newbie learning driver development. I just encountered an
article/paper named "KHOBE – 8.0 earthquake for Windows desktop security
software"http:
which
claims "The protection implemented by kernel mode drivers of today’s
security products can be bypassed effectively by a code running on an
unprivileged user account." [1]
I thought it might be important to some of you. So I’m sharing it here.
[1]
http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php</http:>
Ha-ha-ha!
“This research showed that most of security software vendors implemented their kernel hooks very poorly and their applications were creating another holes into the operating system instead of protecting it”
That’s why I have no antivirus at all!
As about the holes in the kernel itself - I think they were fixed the next Thursday after publishing the exploit ![:slight_smile: :slight_smile:](/images/emoji/twitter/slight_smile.png?v=12)
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
“KishoreKumar Bairi” wrote in message news:xxxxx@ntdev…
Hello,
I’m a newbie learning driver development. I just encountered an article/paper named “KHOBE – 8.0 earthquake for Windows desktop security software” which claims “The protection implemented by kernel mode drivers of today’s security products can be bypassed effectively by a code running on an unprivileged user account.” [1]
I thought it might be important to some of you. So I’m sharing it here.
[1] http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php
That “paper” demonstrated no kernel security holes to patch, just holes in security software .
d
sent from a phpne with no keynoard
-----Original Message-----
From: Maxim S. Shatskih
Sent: May 10, 2010 8:22 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Security hole in Kernel Mode Drivers
Ha-ha-ha!
“This research showed that most of security software vendors implemented their kernel hooks very poorly and their applications were creating another holes into the operating system instead of protecting it”
That’s why I have no antivirus at all!
As about the holes in the kernel itself - I think they were fixed the next Thursday after publishing the exploit ![:slight_smile: :slight_smile:](/images/emoji/twitter/slight_smile.png?v=12)
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
“KishoreKumar Bairi” wrote in message news:xxxxx@ntdev…
Hello,
I’m a newbie learning driver development. I just encountered an article/paper named “KHOBE ? 8.0 earthquake for Windows desktop security software” which claims “The protection implemented by kernel mode drivers of today’s security products can be bypassed effectively by a code running on an unprivileged user account.” [1]
I thought it might be important to some of you. So I’m sharing it here.
[1] http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
And it’s an old, known security issue. Another reason to move away from
hooking approaches, the subtleties of parameter validation are, well,
subtle.
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
“Doron Holan” wrote in message
news:xxxxx@ntdev…
> That “paper” demonstrated no kernel security holes to patch, just holes in
> security software .
>
> d
>
> sent from a phpne with no keynoard
>
> -----Original Message-----
> From: Maxim S. Shatskih
> Sent: May 10, 2010 8:22 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Security hole in Kernel Mode Drivers
>
>
> Ha-ha-ha!
>
> “This research showed that most of security software vendors
> implemented their kernel hooks very poorly and their applications were
> creating another holes into the operating system instead of protecting it”
>
> That’s why I have no antivirus at all!
>
> As about the holes in the kernel itself - I think they were fixed the
> next Thursday after publishing the exploit ![:slight_smile: :slight_smile:](/images/emoji/twitter/slight_smile.png?v=12)
>
> –
> Maxim S. Shatskih
> Windows DDK MVP
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> “KishoreKumar Bairi” wrote in message
> news:xxxxx@ntdev…
> Hello,
>
>
> I’m a newbie learning driver development. I just encountered an
> article/paper named “KHOBE – 8.0 earthquake for Windows desktop security
> software” which claims “The protection implemented by kernel mode drivers
> of today’s security products can be bypassed effectively by a code running
> on an unprivileged user account.” [1]
>
>
> I thought it might be important to some of you. So I’m sharing it here.
>
>
>
>
> [1]
> http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
Ain’t this research targets old vulnerabilities of security s/w coz because
it targets SSDT hooks only which are anyways not feasible thing on post
vista.
Regards
Deepak
On Mon, May 10, 2010 at 9:29 PM, Scott Noone wrote:
> And it’s an old, known security issue. Another reason to move away from
> hooking approaches, the subtleties of parameter validation are, well,
> subtle.
>
>
> -scott
>
> –
> Scott Noone
> Consulting Associate
> OSR Open Systems Resources, Inc.
> http://www.osronline.com
>
>
> “Doron Holan” wrote in message
> news:xxxxx@ntdev…
>
> That “paper” demonstrated no kernel security holes to patch, just holes in
>> security software .
>>
>> d
>>
>> sent from a phpne with no keynoard
>>
>> -----Original Message-----
>> From: Maxim S. Shatskih
>> Sent: May 10, 2010 8:22 AM
>> To: Windows System Software Devs Interest List
>> Subject: Re:[ntdev] Security hole in Kernel Mode Drivers
>>
>>
>> Ha-ha-ha!
>>
>> “This research showed that most of security software vendors implemented
>> their kernel hooks very poorly and their applications were creating another
>> holes into the operating system instead of protecting it”
>>
>> That’s why I have no antivirus at all!
>>
>> As about the holes in the kernel itself - I think they were fixed the
>> next Thursday after publishing the exploit ![:slight_smile: :slight_smile:](/images/emoji/twitter/slight_smile.png?v=12)
>>
>> –
>> Maxim S. Shatskih
>> Windows DDK MVP
>> xxxxx@storagecraft.com
>> http://www.storagecraft.com
>>
>> “KishoreKumar Bairi” wrote in message
>> news:xxxxx@ntdev…
>> Hello,
>>
>>
>> I’m a newbie learning driver development. I just encountered an
>> article/paper named “KHOBE ? 8.0 earthquake for Windows desktop security
>> software” which claims “The protection implemented by kernel mode drivers of
>> today’s security products can be bypassed effectively by a code running on
>> an unprivileged user account.” [1]
>>
>>
>> I thought it might be important to some of you. So I’m sharing it here.
>>
>>
>>
>>
>> [1]
>> http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>