New bypass disclosed in Microsoft PatchGuard (KPP)

Discussion in 'other security issues & news' started by mood, Nov 22, 2019.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    25,466
    New bypass disclosed in Microsoft PatchGuard (KPP)
    After GhostHook and InfinityHook, we now have ByePg. No patch out yet
    November 22, 2019

    https://www.zdnet.com/article/new-bypass-disclosed-in-microsoft-patchguard-kpp/
    ByePg: Defeating Patchguard Using Exception-Hooking
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,491
    Location:
    The Netherlands
    Interesting stuff, and this should be patched by M$ as soon as possible. Because we don't want to end up with the same rootkit mess as on Win XP. If malware can take control of the kernel, there aren't many security tools that will be able to stop them.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Thats why keeping them from running is more effective then detecting them as they run
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,491
    Location:
    The Netherlands
    That's a no brainer, but what if you are tricked into installing malware? That's the whole point of behavior blocking, you block dangerous behavior from apps that are already running in memory. The problem is that most BB's can't stop malware from modifying the kernel, you need PatchGuard for this. So M$ shouldn't downplay such problems.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,904
    Location:
    U.S.A.
    The zdnet article is misleading. Toward the end of the article, note the following:
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Number one security software sits above your shoulders
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,491
    Location:
    The Netherlands
    Correct, but you can still get tricked. Remember about the CCleaner incident? In thoery, they could have included malware that could bypass KPP, and then it's a whole different ball game.
     
  8. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,056
    Location:
    Member state of European Union
    Thanks for this quotation. I have know this from general overview how Windows works and common sense, but I have never seen stated that so clearly by Microsoft itself.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.