Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Microsoft: MSE safe from Windows kernel hook attack

13 May 2010   #1

Win 7 Ultimate 64-bit. SP1.
Microsoft: MSE safe from Windows kernel hook attack

Microsoft Security Essentials (MSE), the software giant's free antimalware solution, is one of the few products that is not affected by the recently rediscovered method for disabling security software on Windows. MSE does not use SSDT hooks, so its real-time protection cannot be disabled via this method.

When the report was first published, we noticed that MSE was not on the list of affected products and contacted Microsoft for clarification. "Microsoft is aware of research published by Matousec and we are investigating the issue," a Microsoft spokesperson told Ars. "Based on available information, we do not believe our products are affected due to the design of our real-time protection. We are working to confirm this."

Microsoft said someone would get back to us, but we figured it would be quicker to go straight to the source. "As we assumed, MSE does not implement any hooks and hence it can not be attacked by KHOBE technique," a Matousec spokesperson told Ars. "It might be confusing when you read various media comments on KHOBE research that mention that all antivirus products are vulnerable, but they miss the most important thing, which is that only software that implements hooking can be vulnerable. Only some antivirus products implement hooks but many antivirus products do not use hooks at all. The major group of software that is affected are not antivirus products but HIPS [Host Intrusion Prevention System] software, behavior blockers, various Internet Security Suites with host protection features etc." Update: “Microsoft has worked directly with Matousec to confirm that Microsoft Security Essentials and Forefront Client Security products are not affected by their KHOBE research due to the design of our real-time protection,” a Microsoft spokesperson eventually followed up with.
Further reading -
Microsoft: MSE safe from Windows kernel hook attack

My System SpecsSystem Spec

14 May 2010   #2

Windows 7 Ultimate (64)

Interesting read, thanx-
My System SpecsSystem Spec
14 May 2010   #3

W7-Enterprise + WS-2008 (Converted to Workstation)

hi !


i just had a new look at Matousec´s list of affected software,
a2 (now EAM) is also NOT on the list.
My System SpecsSystem Spec

14 May 2010   #4

Arch Linux 64-bit

That does not mean it is not vulnerable.

Not all possibly vulnerable products were tested.

And anyway,
Quote   Quote: Originally Posted by Fabian Wosar
The article and problem in question is quite old. The problem outlined there is known for literally centuries (Time-of-check-to-time-of-use - Wikipedia, the free encyclopedia). So there is nothing new about it. Just a security "researcher" that wants his 15 minutes of fame.

In addition AVs are far from being "circumwented". Since the main defense line for AVs is still on-access scanning which isn't fooled by this kind of race condition. In addition every software that uses the filter manager capabilities implemented in the Windows kernel won't be affected by this as well.

So there is much fuzz around a possible security problem that is documented for 20+ years that can only effectively be used against some HIPS and firewall products and only if it happens to work the first time it is tried (which is extremely rare).
Emsisoft and SSDT ? - Emsisoft Support
My System SpecsSystem Spec

 Microsoft: MSE safe from Windows kernel hook attack

Thread Tools

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 06:15 AM.
Twitter Facebook Google+

Windows 7 Forums

Seven Forums Android App Seven Forums IOS App