Impact of SSDT Argument Substitution Attacks (KHOBE)
A report was released recently describing “SSDT Argument Substitution Attacks” against certain Windows endpoint security products. The original report can be found at: http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php.
In a nutshell, this problem seems to fall under Law #1 of the 10 Immutable Laws of Security (http://technet.microsoft.com/en-us/library/cc722487.aspx).
“If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore.”
Of the security products vendors that have issued responses to this report so far, I believe this law is a recurring theme in their replies. If a KHOBE attack has gotten past your layered defenses and is running on your endpoint, then you already have malcode running on the endpoint. The other point the AV vendors are making is that other defensive layers (i.e. HIPS/HIDS and newer reputation-based protection endpoint security technologies ) should help with the detection and prevention.
The statements made by some in the media about KHOBE not affecting Vista SP1 and above and Windows 7 due to Microsoft’s Kernel Patch Protection (Patchguard) is only true of 64-bit versions of those operating systems – not 32-bit versions.
Once we as an industry have swallowed Windows 7 32-bit and migrated the entire software ecosystem around Windows to work properly alongside the security improvements in Windows 7 32-bit, is it time to hasten the move to 64-bit Windows to address new types of attacks against the Windows architecture like KHOBE?