Last Wednesday, researchers at Matousec.com outlined how attackers could exploit the kernel driver hooks that most security software use to reroute Windows system calls through their software to check for potential malicious code before it's able to execute.
[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. ]
Calling the technique an "argument-switch attack," a Matousec-written paper spelled out in relatively specific terms how an attacker could swap out benign code for malicious code between the moments when the security software issues a green light and the code actually executes.
"This is definitely very serious," said Alfred Huger, vice president of engineering at Immunet, a Palo Alto, Calif.-based anti-virus company. "Probably any security product running on Windows XP can be exploited this way." Huger added that Immunet's desktop client is not vulnerable to the argument-switch attacks because the company's software uses a different method to hook into the Windows kernel.
According to Matousec, nearly three-dozen Windows desktop security titles, including ones from Symantec, McAfee, Trend Micro, BitDefender, Sophos and others, can be exploited using the argument-switch tactic. Matousec said it had tested the technique on Windows XP SP3 and Vista SP1 on 32-bit machines.
Some security vendors agreed with Huger. "It's a serious issue and Matousec's technical findings are correct," said Mikko Hypponen, chief research officer at Finnish firm F-Secure, in an email.
"Matousec's research is absolutely important and significant in the short term," echoed Rik Ferguson, a senior security advisor at Trend Micro, in a blog post earlier Monday.
Other anti-virus companies downplayed the threat, however. "Based on our initial review of the public documentation, we believe this is a complicated attack with several mitigating factors that make it unlikely to be a viable, real world, widespread attack scenario," a McAfee spokesman said in an email reply to a request for comment. "The attack would require some level of existing access to the target computer, as the attack described by Matousec does not on its own bypass security software or allow malware to run."