Decade-old Windows kernel bug lets hackers bypass security protections
Researchers say that a bug in the Windows kernel could allow hackers to run malicious code, bypassing the operating system's security software.
The bug affects a low-level interface, known as PsSetLoadImageNotifyRoutine, that notifies when a module has been loaded into the Windows kernel. But the bug allows for an attacker to insert a malicious module into the kernel while returning a different name, letting in the malicious code without any warning.
Omri Misgav, a security researcher at enSilo, who also wrote a blog post on the bug, said that the bug appears to be a "programming error" in the kernel.
All versions of Windows are affected.
PsSetLoadImageNotifyRoutine was originally introduced in Windows 2000 to notify apps of newly registered drivers. The interface can also detect when a preinstallation environment image is loaded into virtual memory, making it easier for security products to detect if the kernel has been modified -- even by malware, in some cases.
But the researchers found that Windows doesn't always return the correct result, meaning security products -- such as antimalware -- doesn't know which malicious file to scan.
"Any security vendor that relies on the information supplied by this notification routine may be fooled into looking at the wrong module at load time," Misgav told ZDNet. He added that enSilo had not tested any specific security products.
The researchers criticized Microsoft's own documentation, which has "no mention" of invalid paths.
Misgav noted that in order to reproduce the bug, a person would have to perform a series of simple file operations. "Once these operations are performed the notification routine will receive an incorrect path," he said.
But Microsoft "did not deem it as a security issue," said Misgav.
When reached, a Microsoft spokesperson said: "Our engineers reviewed the information and determined this does not pose a security threat and we do not plan to address it with a security update."
Misgav said it "eluded" the team why the bug still exists to this day.
from Latest Topic for ZDNet in... http://ift.tt/2wNIF5O