Security Firm Finds Gaps in Popular AV Software


The security software offerings of 35 of the world's leading vendors can be compromised by something called an argument-switch attack that would allow a virtually limitless amount of malicious code to infiltrate Windows-based PCs and devices, according to a report by security researcher Matousec.

The so-called argument switch attack, which Matousec researchers also refer to as a KHOBE attack—short for Kernel Hook Bypassing Engine—is especially effective against user mode and kernel mode hooks. Essentially, these are considered direct code modifications made by security software programmers building security apps.

Matousec's KHOBE testing engine had little trouble infiltrating this vulnerability for some 35 popular security software applications using a technique called System Service Descriptor Table (SSDT) hooking, including those made by the likes of McAfee (NYSE: MFE), Symantec (NASDAQ: SYMC) Sophos, Panda Security and BitDefender.

"The results can be summarized in one sentence: If a product uses SSDT hooks or other kinds of kernel mode hooks on a similar level to implement security features it is vulnerable," Matousec officials wrote. "In other words, 100 percent of the tested products were found vulnerable.

"The only reason there are not more products in the following table is our time limitation," it added. "Otherwise, the list would be endless."

However, Matousec officials said that this particular attack method would also require that would-be attackers have the access and ability to execute code on a system—in other words the attacker would either have to have local access to the network or use the argument-switch technique in unison with another attack vector.

Despite the best efforts of leading security vendors, such as McAfee, Symantec and Trend Micro, hackers and malware purveyors continue to enjoy unprecedented success infiltrating both consumer and enterprise networks and systems.

Gartner predicts the worldwide security software market will grow from roughly $14.5 billion last year to more than 16.3 billion in 2010 as companies race to keep pace with sophisticated, targeted malware campaigns designed to pilfer data, cash and intellectual capital.

While its Norton Internet Security 2010 suite was one of the three dozen compromised in the Matousec tests, Symantec (NASDAQ: SYMC) officials said its new line of cloud-based security applications would eliminate any chance of exposing data to this type of attack.

“The malicious exploit presented in the Matousec research is exactly the type that the Symantec Hosted Services heuristic detection system is placed to pick up and is not an attack against which our servers would be susceptible since our AV systems don’t run using the file system hooks that desktop AV uses," Martin Lee, a senior software engineer in Symantec's Hosted Services group, told

"This type of attack requires the attacker to have the ability to run arbitrary code on the target machine which would imply that the machine is already compromised (bypassing the security mechanisms in place to detect the malware) or the attacker already has physical access to the machine," he added. "SaaS customers are completely safe from this type of attack."

For now, however, most enterprises rely on on-premise security applications to protect their desktop and laptop PC installations.

And in this one test sample, it's apparent that Windows-based shops have something else to worry about now.

"We tested the most widely-used security applications and found out that all of them are vulnerable," Matousec officials said. "Today's most popular security solutions simply do not work."

Larry Barrett is a senior editor at, the news service of, the network for technology professionals.