Connect with us


New bypass disclosed in Microsoft PatchGuard (KPP)



A security researcher published proof-of-concept code last month for an exploit that can bypass the Microsoft Kernel Patch Protection (KPP) security feature, more commonly known as PatchGuard.

Named ByePg, this is the second Patchguard bypass discovered and publicly disclosed in the past six months, after InfinityHook, which was disclosed in July this year.

What is Microsoft PatchGuard

Microsoft PatchGuard is a security feature that was introduced in 2005 in Windows XP. It is only available for 64-bit versions of Microsoft Windows, and its role is to prevent apps from patching the kernel.

Patching the kernel is a technical term that refers to modifying the operating system’s most important component (which relays commands from apps to the underlying hardware) with unauthorized code.

Before PatchGuard’s release, many applications took liberties with modifying Windows’ kernel so they could do their job easier or could access sensitive functions. Antivirus software, shady drivers, game cheats, and malware, would often used kernel patching for their own very different purposes.

Rootkit developers were among the biggest fans of kernel patching, using the technique as a way to embed their malware at the OS level, giving it unfettered access to all of the user’s computer.

Initially, PatchGuard wasn’t the resounding success that Microsoft had hoped, and several bypasses were discovered in the late 2010s, all of which Microsoft eventually patched.

PatchGuard didn’t kill rootkits on its own, but rootkits did eventually die out, especially after the launch of Windows 10, which featured additional security features, alongside PatchGuard.

PatchGuard bypasses

However, even if PatchGuard took a backseat in Windows’ ever-increasing layers of security features, security researchers have continued to prod at its internal mechanism, looking for new ways to bypass the protections it provides.

After Windows 10’s release in 2015, the most notable of all PatchGuard bypass was GhostHook, discovered by CyberArk researchers in 2017. GhostHook abused the Intel Processor Trace (PT) feature to bypass PatchGuard and patch the kernel.

A second bypass was discovered and disclosed over the summer, in July. Found by Nick Peterson, anti-cheat expert at Riot Games, this bypass was named InfinityHook, and abused the NtTraceEvent API to patch the kernel.

Describing the bypass at the time, Peterson said “InfinityHook stands to be one of the best tools in the rootkit arsenal over the last decade.”

Last month, a third PatchGuard bypass was disclosed; this time by Turkish software developer Can Bölük. Named ByePg, this exploit hijacks the HalPrivateDispatchTable to allow a rogue app to patch the kernel.

Just like Peterson, when describing ByePg, Bölük used said that the “weaponization potential of [ByePg] is only limited by your creativity.”

ByePG is considered even more dangerous, as it can bypass both PatchGuard and Hypervisor-Protected Code Integrity (HVCI), a feature that allows Microsoft to blacklist bad drivers on users’ devices.

All three — CyberArk, Peterson, and Bölük — went public with their respective PatchGuard bypasses after Microsoft refused the fix the issues.


Microsoft’s response in all three cases was the same. All three exploits needed admin rights to run, meaning they couldn’t be classified as security issues.

The OS maker argued that once an attacker has access to a local system with admin rights, they can carry out any operation they want. Technically, they’re right, but also wrong. While this explanation might be true for any other attack vector, it is not valid for PatchGuard, a system meant to safeguard the kernel even from high-privileged processes — like a driver or antivirus apps. This was PatchGuard’s sole purpose, researchers argued.

They also said that it’s trivial nowadays for an attacker to elevate privileges and then run something like InfinityHook or the new ByePg to establish a permanent foothold in the kernel itself, and open the door for the return of rootkits on Windows 10, a place where they haven’t really managed to infect on the same numbers as they did with older Windows versions like XP, Vista, and 7.

When this reporter reached out to Microsoft in 2017, the OS maker said they were not ignoring the issue, but they were just not prioritizing it as a security flaw.

At Microsoft, security flaws get fixed right away and patches are delivered via the monthly Patch Tuesday process. Bugs, on the other hand, are patched on a biannual cycle.

For its credit, Microsoft did patch GhostHook somewhere in late 2017, but nobody knew it happened for weeks. A patch for InfinityHook was also shipped in Windows Insider builds in September, and is most likely included with Windows 10 v1909, released earlier this month.

ByePG remains unpatched, and Bölük, just like the other security researchers before him, is now feeling that his research work is being spurned.

The researcher told ZDNet in a private conversation that he understood Microsoft’s bug bounty program’s rules, and that he would not be eligible for a monetary payout. However, he feels that Microsoft is downplaying the severity of these exploits and delaying patches unnecessarily, opening the door for possible attacks.

Rules will not be changing

From our interactions with Microsoft’s public relations staff, we knew we wouldn’t get a straight answer to our questions, so we reached out to a Microsoft employee who works part of the company’s bug program and provided anonymity for his statements.

The employee described the PatchGuard bypass issue as a technical loophole in the company’s program rules, but one that’s not going to get an exception from Microsoft’s staff.

While the rule that “administrator-to-kernel is not a security boundary” clearly states that exploits run with administrative privileges don’t count for the company’s bug rewards program, he also understands that this is an big issue with PatchGuard, especially.

However, our source wanted to be very clear that that these issues don’t get ignored, and bypassing PatchGuard or any of the company’s other security features does raise an eyebrow at Microsoft.

The three PatchGuard bypasses might not have gotten a “security bug” classification, but they were eventually fixed, only at a slower pace, and by another team.

The Microsoft employee tells us that this classification as a bug rather than a security flaw is what usually irks about 99% of researchers who report these things.

He says most security researchers understand that Microsoft’s bug bounty program has rules and they won’t be eligible for cash rewards, but most are annoyed that their work — which in many cases took months — won’t any get public recognition from Microsoft, at all.

Furthermore, the bugs they find will also not receive a CVE number — an identification code for a valid vulnerability, which many researchers collect and flaunt as trophies.

This is why, he said, many researchers go public with details about their work, complete with proof-of-concept code, that can be very easily weaponized. Our source tells us he doesn’t blame researchers for doing so, nor do his colleagues, as this is sometimes the only way to show their reverse engineering and bug-hunting talents in the absence of a nod from Microsoft.

Source link


The Five Pillars of (Azure) Cloud-based Application Security



This 1-hour webinar from GigaOm brings together experts in Azure cloud application migration and security, featuring GigaOm analyst Jon Collins and special guests from Fortinet, Director of Product Marketing for Public Cloud, Daniel Schrader, and Global Director of Public Cloud Architecture and Engineering, Aidan Walden.

These interesting times have accelerated the drive towards digital transformation, application rationalization, and migration to cloud-based architectures. Enterprise organizations are looking to increase efficiency, but without impacting performance or increasing risk, either from infrastructure resilience or end-user behaviors.

Success requires a combination of best practice and appropriate use of technology, depending on where the organization is on its cloud journey. Elements such as zero-trust access and security-driven networking need to be deployed in parallel with security-first operations, breach prevention and response.

If you are looking to migrate applications to the cloud and want to be sure your approach maximizes delivery whilst minimizing risk, this webinar is for you.

Continue Reading


Data Management and Secure Data Storage for the Enterprise



This free 1-hour webinar from GigaOm Research brings together experts in data management and security, featuring GigaOm Analyst Enrico Signoretti and special guest from RackTop Systems, Jonathan Halstuch. The discussion will focus on data storage and how to protect data against cyberattacks.

Most of the recent news coverage and analysis of cyberattacks focus on hackers getting access and control of critical systems. Yet rarely is it mentioned that the most valuable asset for the organizations under attack is the data contained in these systems.

In this webinar, you will learn about the risks and costs of a poor data security management approach, and how to improve your data storage to prevent and mitigate the consequences of a compromised infrastructure.

Continue Reading


CISO Podcast: Talking Anti-Phishing Solutions



Simon Gibson earlier this year published the report, “GigaOm Radar for Phishing Prevention and Detection,” which assessed more than a dozen security solutions focused on detecting and mitigating email-borne threats and vulnerabilities. As Gibson noted in his report, email remains a prime vector for attack, reflecting the strategic role it plays in corporate communications.

Earlier this week, Gibson’s report was a featured topic of discussions on David Spark’s popular CISO Security Vendor Relationship Podcast. In it, Spark interviewed a pair of chief information security officers—Mike Johnson, CISO for SalesForce, and James Dolph, CISO for Guidewire Software—to get their take on the role of anti-phishing solutions.

“I want to first give GigaOm some credit here for really pointing out the need to decide what to do with detections,” Johnson said when asked for his thoughts about selecting an anti-phishing tool. “I think a lot of companies charge into a solution for anti-phishing without thinking about what they are going to do when the thing triggers.”

As Johnson noted, the needs and vulnerabilities of a large organization aligned on Microsoft 365 are very different from those of a smaller outfit working with GSuite. A malicious Excel macro-laden file, for example, poses a credible threat to a Microsoft shop and therefore argues for a detonation solution to detect and neutralize malicious payloads before they can spread and morph. On the other hand, a smaller company is more exposed to business email compromise (BEC) attacks, since spending authority is often spread among many employees in these businesses.

Gibson’s radar report describes both in-line and out-of-band solutions, but Johnson said cloud-aligned infrastructures argue against traditional in-line schemes.

“If you put an in-line solution in front of [Microsoft] 365 or in front of GSuite, you are likely decreasing your reliability, because you’ve now introduced this single point of failure. Google and Microsoft have this massive amount of reliability that is built in,” Johnson said.

So how should IT decision makers go about selecting an anti-phishing solution? Dolph answered that question with a series of questions of his own:

“Does it nail the basics? Does it fit with the technologies we have in place? And then secondarily, is it reliable, is it tunable, is it manageable?” he asked. “Because it can add a lot overhead, especially if you have a small team if these tools are really disruptive to the email flow.”

Dolph concluded by noting that it’s important for solutions to provide insight that can help organizations target their protections, as well as support both training and awareness around threats. Finally, he urged organizations to consider how they can measure the effectiveness of solutions.

“I may look at other solutions in the future and how do I compare those solutions to the benchmark of what we have in place?”

Listen to the Podcast: CISO Podcast

Continue Reading