SECURITY FIRM CYBERARK has issued an alert about GhostHook, an attack that swoops past Microsoft's PatchGuard protective layer.
Once the thing has swanned past the Microsoft bouncer software it is free to take root control on Windows 10, 64-bit OS devices. CyberArk reckons that it has caught itself a whopper here, claiming to have discovered the first attack to treat PatchGuard with so little attention and take root level control.
Sounds like a real doozy. "Hooking techniques give you the control over the way an operating system or a piece of software behaves. Some of the software that utilizes hooks include: application security solutions, system utilities, tools for programming (e.g. interception, debugging, extending software, etc.), malicious software (e.g. rootkits) and many others," said CyberArk in a blog that explains that GhostHook is a second stage attack.
"Please note, this is neither an elevation nor an exploitation technique. This technique is intended for post-exploitation scenario where the attacker has control over the asset. Since malicious kernel code (rootkits) often seeks to establish persistence in unfriendly territory, stealth technology plays a fundamental role."
Microsoft does not take the threat very seriously and told the security firm that it does not think any emergency remediation work is needed. However, it did not rule it out for the future.
"The engineering team has finished their analysis of this report and determined that it requires the attacker already be running kernel code on the system. As such, this doesn't meet the bar for servicing in a security update however it may be addressed in a future version of Windows. As such I've closed this case," said a spokesperson.
CyberArk thinks that the firm is underestimating the risks here, but it would, because presumably, it spent a lot of time on this.
"Microsoft does not seem to realise that PatchGuard is a kernel component that should not be bypassed, since PatchGuard blocks rootkits from activities such as SSDT hooking, not from executing code in kernel-mode," it coughed. µ
We'll soon have EUV to thank for smaller chips and better phones
Just two years after he co-founded the non-profit AI safety group
Firm claims devices will allow 'untethered VR from anywhere in the world'
The file-sharing web and desktop clients could have shared a little too much