BoundHook: Microsoft downplays Windows systems exploit technique

It's just not a security vulnerability, says Redmond


Features of the Intel MPX designed to prevent memory errors and attacks might be abused to launch assaults on Windows systems, security researchers claim.

Windows 10 uses Intel to secure applications by detecting boundary exceptions (common during a buffer overflow attack). An exploit technique by CyberArk Labs uses the boundary exception as the hook itself to give attackers control of Windows 10 devices.

The researchers claim the so-called "BoundHook" technique creates a potential mechanism for hackers to exploit design of Intel Memory Protection Extensions to hook applications in user mode and execute code. According to CyberArk Labs, this malfeasance could, in theory, allow attacks to fly under the radar of antiviruses or other security measures on Windows 10, 32-bit and 64-bit OS devices.

Microsoft has downplayed the significance of the potential attack, telling CyberArk Labs that it's only useful as a technique for post-hack exploitation. MS dismisses the research as a "marketing report" from which The Reg infers it sees no need to have the tech patched.

A Microsoft spokesperson told The Reg: "The technique described in this marketing report does not represent a security vulnerability and requires a machine to already be compromised to potentially work. We encourage customers to always keep their systems updated for the best protection."

BoundHook is the second known technique discovered by CyberArk Labs to hook functions in Windows. The first technique, dubbed GhostHook, bypasses Microsoft attempts to prevent kernel-level attacks (e.g. PatchGuard) and uses this hooking approach to take control of a device. Microsoft dismissed the potential route of that attack as a low-risk threat, as we previously reported. ®


Keep Reading

Now-patched Ubuntu desktop vulnerability allows privilege escalation

'Unusual for a vulnerability on a modern operating system to be this easy to exploit,' says bughunter

Windows kernel vulnerability disclosed by Google's Project Zero after bug exploited in the wild by hackers

Chocolate Factory spills beans early on privilege-escalation flaw

Shared memory vulnerability in IBM's Db2 database could let nefarious insiders wreak havoc – so get patching

Lack of protections around trace facility gives local users read and write access

Microsoft emits 112 security hole fixes – including the cure for a Google-disclosed kernel vuln exploited in the wild

Patch Tuesday Android, Adobe, SAP, Red Hat join the bug-busting party

You know that Microsoft ZeroLogon bug you've been dragging your feet on? It's getting pwned in the wild now

Scan servers for signs of compromise and patch if you haven't already

It's 2020 and a rogue ICMPv6 network packet can pwn your Microsoft Windows machine

Patch Tuesday Redmond urges folks to apply update ASAP – plus more fixes for Outlook and software from Adobe, Intel, SAP, Red Hat

Microsoft giveth and Microsoft taketh away: Certification renewals to be free ... but annual

'Rigorous' exam first, then take a freebie assessment once a year from home

When is a remote-code-execution bug in Teams not an RCE? When Microsoft says it isn't, flaw finder discovers

Updated 'Zero-click, wormable, cross-platform' vuln deemed 'important, spoofing' rather than, say, 'aaargh!'

Biting the hand that feeds IT © 1998–2021