From Computer World

'Very serious' says one antivirus exec, especially for Windows XP usersA just-published attack tactic that bypasses the security protections of most current antivirus software is a "very serious" problem, an executive at one unaffected company said today.

Last Wednesday, researchers at Matousec.com outlined how attackers could exploit the kernel driver hooks that most security software use to reroute Windows system calls through their software to check for potential malicious code before it's able to execute.

Calling the technique an "argument-switch attack," a Matousec-written paper spelled out in relatively specific terms how an attacker could swap out benign code for malicious code between the moments when the security software issues a green light and the code actually executes.

"This is definitely very serious," said Alfred Huger, vice president of engineering at Immunet, a Palo Alto, Calif.-based antivirus company. "Probably any security product running on Windows XP can be exploited this way." Huger added that Immunet's desktop client is not vulnerable to the argument-switch attacks because the company's software uses a different method to hook into the Windows kernel.

According to Matousec, nearly three-dozen Windows desktop security titles, including ones from Symantec, McAfee, Trend Micro, BitDefender, Sophos and others, can be exploited using the argument-switch tactic. Matousec said it had tested the technique on Windows XP SP3 and Vista SP1 on 32-bit machines.

[More....] [Comments...]