In association with heise online

19 September 2007, 15:32

Security software drivers endanger system stability

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

In addition to some information about vulnerabilities in the drivers of a number of security products, security service provider Matousec has published a tool that users and programmers can use to check whether kernel mode drivers have been properly implemented. The drivers used in Windows security solutions hook the system functions in the System Service Descriptor Table (SSDT) in order to monitor the computer. Unfortunately, they often do not properly filter the parameters they receive; as a result, a flaw in the context of the kernel can cause the system to crash or allow injected code to be executed. For instance, local users can escalate their system privileges.

In their analysis, the security experts at Matousec describe some of the flaws they found most often – and how programmers can avoid them. Microsoft also provides documents describing the guidelines for the proper programming of drivers.

In its report Matousec also presents a tool called BSODhook, which can be downloaded for free (ZIP file). It allows programmers and users to try out a number of different parameters when calling system functions that security software is connected to. If a driver does not properly filter a call, the system will usually crash, resulting in a loss of any changes made to the system but not saved. Obviously this tool should be used with caution.

The researchers say they have detected improper driver implementations in a number of security products by using BSODhook. Matousec's analysis lists the following products:

  • BlackICE PC Protection 3.6.cqn
  • G DATA InternetSecurity 2007
  • Ghost Security Suite beta 1.110 and alpha 1.200
  • Kaspersky Internet Security
  • Norton Internet Security 2008
  • Online Armor Personal Firewall
  • Outpost Firewall Pro 4.0.1025.7828
  • Privatefirewall
  • Process Monitor 1.22
  • ProcessGuard 3.410
  • ProSecurity 1.40 Beta 2
  • RegMon 7.04
  • ZoneAlarm Pro 7.0.362.000

Most of these products are the current versions, for which no updates exist at the moment.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit