BoundHook: Microsoft downplays Windows systems exploit technique

It's just not a security vulnerability, says Redmond

Features of the Intel MPX designed to prevent memory errors and attacks might be abused to launch assaults on Windows systems, security researchers claim.

Windows 10 uses Intel to secure applications by detecting boundary exceptions (common during a buffer overflow attack). An exploit technique by CyberArk Labs uses the boundary exception as the hook itself to give attackers control of Windows 10 devices.

The researchers claim the so-called "BoundHook" technique creates a potential mechanism for hackers to exploit design of Intel Memory Protection Extensions to hook applications in user mode and execute code. According to CyberArk Labs, this malfeasance could, in theory, allow attacks to fly under the radar of antiviruses or other security measures on Windows 10, 32-bit and 64-bit OS devices.

Microsoft has downplayed the significance of the potential attack, telling CyberArk Labs that it's only useful as a technique for post-hack exploitation. MS dismisses the research as a "marketing report" from which The Reg infers it sees no need to have the tech patched.

A Microsoft spokesperson told The Reg: "The technique described in this marketing report does not represent a security vulnerability and requires a machine to already be compromised to potentially work. We encourage customers to always keep their systems updated for the best protection."

BoundHook is the second known technique discovered by CyberArk Labs to hook functions in Windows. The first technique, dubbed GhostHook, bypasses Microsoft attempts to prevent kernel-level attacks (e.g. PatchGuard) and uses this hooking approach to take control of a device. Microsoft dismissed the potential route of that attack as a low-risk threat, as we previously reported. ®




Biting the hand that feeds IT © 1998–2018