Your Anti-Virus Sucks
OK, maybe it doesn't suck, but according to a vulnerability uncovered by matousec.com, it can be beaten, no matter which one you're using.
The method uses the driver hooks that anti-virus programs use to interface with the Windows operating system, sending it a sample of harmless code that will pass security checks before being swapped out with a harmful payload.
The timing is important, but thanks to muti-core processors it's made easier: apparently in these systems one thread is sometimes unable to keep track of other threads running at the same time. Using this "argument-switch" attack, most Windows PCs can end up running code that would otherwise be blocked.
According to the researchers, they've run the test on as many Windows security programs as they had time for (34 of them, actually) and the exploit has worked 100% of the time, due to the fact that the AV programs all use System Service Descriptor Table (SSDT) hooks to modify the OS Kernel.
Although the attack even works when used against a user account with limited permissions, the user must have the ability to run a binary on the PC. So, um, that'd be most corporate, and pretty much every home user, anywhere.
That's not so great.
Follow Technorati