Check Point’s Malware and Vulnerability Research Group today revealed new research into potential attacks of a crucial component in the Windows operating system, and demonstrated the use of such an attack by revealing a previously unknown vulnerability in Bitdefender Anti-Virus.
The operating system component, known as NDIS, serves as the connecting layer between the network adapter card and the operating system itself. As a result, NDIS presents a huge attack surface: it has to process all network inputs regardless of whether the operating system is configured to accept them or not.
Check Point researcher Nitay Artenstein voiced concerns that NDIS is not properly secured, despite its high exposure to attackers. In a presentation titled “NDIS Packet of Death: Turning Windows’ Complexity Against Itself”, delivered yesterday at the CanSecWest security conference in Vancouver, Artenstein pointed out several factors that make NDIS, and by extension Windows, inherently insecure.
Artenstein first pointed out that NDIS runs almost exclusively on third-party drivers, and not on Microsoft code, making it impossible to verify the coding security standards in these drivers. He also warned that the faulty design of the interface, and the excessive complexity that NDIS driver programmers are forced to contend with, make the task of writing secure NDIS drivers an almost impossible task.
In his research, Artenstein listed several bugs that are very common in NDIS drivers, and showed how these bugs could be exploited, under the correct conditions, to compromise the whole system.
The practical attack which Artenstein revealed against Bitdefender targets the anti-virus’ NDIS component, and uses a flaw in the driver in order to gain arbitrary code execution at the highest possible privilege level. This attack is especially powerful, since it can be triggered remotely over a local network, without the need for any user interaction – meaning millions of potential unsuspecting victims around the world.
Artenstein warned that while Bitdefender have already patched the vulnerability following Check Point’s disclosure, many other NDIS drivers are likely to be vulnerable to the same category of attacks.
These findings join several previous published researches, which have highlighted the ironic fact that some endpoint security products may introduce security risks of their own to the system.
Finally, note that most modern IPS appliances, including Check Point’s, will block this attack.