Security software drivers endanger system stability
In addition to some information about vulnerabilities in the drivers of a number of security products, security service provider Matousec has published a tool that users and programmers can use to check whether kernel mode drivers have been properly implemented. The drivers used in Windows security solutions hook the system functions in the System Service Descriptor Table (SSDT) in order to monitor the computer. Unfortunately, they often do not properly filter the parameters they receive; as a result, a flaw in the context of the kernel can cause the system to crash or allow injected code to be executed. For instance, local users can escalate their system privileges.
In their analysis, the security experts at Matousec describe some of the flaws they found most often – and how programmers can avoid them. Microsoft also provides documents describing the guidelines for the proper programming of drivers.
In its report Matousec also presents a tool called BSODhook, which can be downloaded for free (ZIP file). It allows programmers and users to try out a number of different parameters when calling system functions that security software is connected to. If a driver does not properly filter a call, the system will usually crash, resulting in a loss of any changes made to the system but not saved. Obviously this tool should be used with caution.
The researchers say they have detected improper driver implementations in a number of security products by using BSODhook. Matousec's analysis lists the following products:
- BlackICE PC Protection 3.6.cqn
- G DATA InternetSecurity 2007
- Ghost Security Suite beta 1.110 and alpha 1.200
- Kaspersky Internet Security 18.104.22.168
- Norton Internet Security 2008 22.214.171.124
- Online Armor Personal Firewall 126.96.36.199
- Outpost Firewall Pro 4.0.1025.7828
- Privatefirewall 188.8.131.52
- Process Monitor 1.22
- ProcessGuard 3.410
- ProSecurity 1.40 Beta 2
- RegMon 7.04
- ZoneAlarm Pro 7.0.362.000
Most of these products are the current versions, for which no updates exist at the moment.
- Analysis and download at Matousec