Microsoft denies that BoundHook vulnerability is actually a vulnerability
Security researchers at CyberArk are reporting about a new technique that could be used to take control of Windows 10 devices.
Known as BoundHook, the technique takes advantage of the BOUND hooking technique in Intel MPX (Memory Protection Extensions). But while CyberArk says that it will "bring new capabilities to both software security vendors and malware writers," Microsoft is downplaying the issue, suggesting there is nothing to worry about.
CyberArk acknowledges that the "technique can be used in a post-exploitation scenario in which the attacker has control over the asset." That said, it's not something that should necessarily be ignored. "Since malicious kernel code (rootkits) often seeks to establish persistence in unfriendly territory, stealth technology plays a fundamental role."
Over on the CyberArk website, there is some detail about how the technique works. The concern is that the method may well not be detected by antivirus and anti-malware software.
Microsoft has previously dismissed a similar vulnerability (GhostHook) that was also reported by CyberArk, saying:
We have completed our investigation of this issue and have found that it is not a vulnerability but a technique to avoid detection once the machine is already compromised. Because it's a post-exploitation technique it doesn't meet the bar for servicing in a security update but we will consider fixing it in a future version of Windows.
It's a similar story with BoundHook. In a statement given to the Register, Microsoft says:
The technique described in this marketing report does not represent a security vulnerability and requires a machine to already be compromised to potentially work. We encourage customers to always keep their systems updated for the best protection.