SECURITY FIRM CYBERARK has issued an alert about GhostHook, an attack that swoops past Microsoft's PatchGuard protective layer.
Once the thing has swanned past the Microsoft bouncer software it is free to take root control on Windows 10, 64-bit OS devices. CyberArk reckons that it has caught itself a whopper here, claiming to have discovered the first attack to treat PatchGuard with so little attention and take root level control.
Sounds like a real doozy. "Hooking techniques give you the control over the way an operating system or a piece of software behaves. Some of the software that utilizes hooks include: application security solutions, system utilities, tools for programming (e.g. interception, debugging, extending software, etc.), malicious software (e.g. rootkits) and many others," said CyberArk in a blog that explains that GhostHook is a second stage attack.
"Please note, this is neither an elevation nor an exploitation technique. This technique is intended for post-exploitation scenario where the attacker has control over the asset. Since malicious kernel code (rootkits) often seeks to establish persistence in unfriendly territory, stealth technology plays a fundamental role."
Microsoft does not take the threat very seriously and told the security firm that it does not think any emergency remediation work is needed. However, it did not rule it out for the future.
"The engineering team has finished their analysis of this report and determined that it requires the attacker already be running kernel code on the system. As such, this doesn't meet the bar for servicing in a security update however it may be addressed in a future version of Windows. As such I've closed this case," said a spokesperson.
CyberArk thinks that the firm is underestimating the risks here, but it would, because presumably, it spent a lot of time on this.
"Microsoft does not seem to realise that PatchGuard is a kernel component that should not be bypassed, since PatchGuard blocks rootkits from activities such as SSDT hooking, not from executing code in kernel-mode," it coughed. µ
Check Point warns that 'the next cyber hurricane is about to come'
He who controls the Animoji, rules the Animoji
Ha ha ha, hee hee hee, Will Cooke from Ubuntu had a chat with we
POKE no more. Oh wait, that was 30 years ago