Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/6/2017
04:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

New Microsoft Kernel Bug Could Permit Malicious Modules

Researchers found a Microsoft kernel bug that could allow attackers to bypass antivirus systems and load malware.

A Microsoft kernel flaw has been discovered in the PsSetLoadImageNotifyRoutine in all operating systems from Windows 2000 to the most recent version of Windows 10.

Microsoft launched PsSetLoadImageNotifyRoutine in Windows 2000 to notify registered drivers in different parts of the kernel when a PE image file has been loaded or mapped into memory. Highest-level system-profiling drivers can call it to set up their load-image notify routines.

Researchers at endpoint security firm enSilo found a flaw in Microsoft's API while digging into the Windows kernel. They noticed that after registering a notification routine for loaded PE images with the kernel, the callback may receive invalid image names. The problem was first believed to be a random issue but is actually rooted in the kernel.

"The bug exists in an API Microsoft provides to security vendors in order to allow them to know of a file being loaded by the operating system," explains enSilo cofounder and CTO Udi Yavo. "The API is not functioning correctly, and may give the vendor invalid files that may cause the vendor to miss malware."

The programming error could prevent vendors and kernel developers from identifying which modules are loaded at runtime, reports enSilo security researcher Omri Misgav in a blog post on the finding. This means an attacker could load a malicious module, disguised as a legitimate one, into a Windows environment without triggering an alert.

"This implies malware like rootkits and ransomware could potentially evade installed monitoring software such as antivirus and host-based intrusion detection," says Dustin Childs, communications manager for the Zero-Day Initiative. He also adds that it "isn't terribly shocking" that it spans Windows 2000 through Windows 10.

"Windows has a long history, and it's not uncommon for code to span multiple versions," he notes.

While this bug would not allow for a direct exploit of the Windows OS, threat actors could exploit this bug to bypass certain systems from vendors using Microsoft's API. Products relying on the API would not be able to detect potentially malicious files, giving attackers a means to gain a foothold in enterprise systems.

"We have reported this issue to Microsoft," notes Yavo, adding that the company does not plan to create a patch at this time. While he doesn't think this specific issue is easily exploited in the wild, it's difficult to know whether attackers have used it.

In response to the finding, a Microsoft spokesperson says "Our engineers reviewed the information and determined this does not pose a security threat and we do not plan to address it with a security update."

The research, while interesting, is still ongoing, Childs says. "Exploitability likely won't be able to be determined until the research is complete," says Childs. "Until then, this research should remind businesses that no product or technology is infallible. Multiple tools and techniques should be used to provide the best available protections."

Even if no patch is issued for this, Childs advises businesses to focus on tactics that boost their overall defenses.

"Techniques like network isolation, monitoring, A/V and patch hygiene, help increase a business' security posture regardless of an individual bug," he says. "You will never be able to stop all bugs, but you can put yourself in a good position to spot when exploits are targeting your systems."

Yavo says the team is still digging into this research and will release more findings as they are discovered.

Related Content:

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Brother Printer Support
50%
50%
Brother Printer Support,
User Rank: Guru
6/30/2018 | 6:51:08 PM
AOL Support
AOL Support is the most appropriate module of support industry, that's because of only the fight any kind of current problem having their technical affaire then need to resolve the problem contact  AOL Support, I thought It has been connecting to help.
Brother Printer Support
50%
50%
Brother Printer Support,
User Rank: Guru
6/30/2018 | 7:07:46 PM
AOL Support Number
AOL Support is the most appropriate module of support industry, that's because of only the fight any kind of current problem having their technical affaire then need to resolve the problem contact  AOL Support, I thought It has been connecting to help.
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...