Ten year old Windows kernel bug lets hackers bypass protection

Researchers say that a bug in the Windows kernel could allow hackers to perform malicious actions by tricking security products blindly relying on a Windows API.

The bug affects a low-level interface, known as PsSetLoadImageNotifyRoutine, that notifies when a module has been loaded into the Windows kernel. The bug can allow an attacker to forge the name of a loaded module, a method that can mislead third-party security products, and allow malicious actions without any warning.

Omri Misgav, a security researcher at enSilo, who also wrote a blog post on the bug, said that the bug appears to be a “programming error” in the kernel.

All versions of Windows are affected.

PsSetLoadImageNotifyRoutine was originally introduced in Windows 2000 to inform drivers, such as those powering security products, when a module is loaded into a process and the module’s address in memory, allowing security products to track modules.

But the researchers found that Windows doesn’t always return the correct result, meaning security products — such as antimalware — doesn’t know which malicious file to scan.

“Any security vendor that relies on the information supplied by this notification routine may be fooled into looking at the wrong module at load time,” Misgav told ZDNet. He added that enSilo had not tested any specific security products.

The researchers criticized Microsoft’s own documentation, which has “no mention” of invalid paths.

Misgav noted that in order to reproduce the bug, a person would have to perform a series of simple file operations. “Once these operations are performed the notification routine will receive an incorrect path,” he said.

But Microsoft “did not deem it as a security issue,” said Misgav.

When reached, a Microsoft spokesperson said: “Our engineers reviewed the information and determined this does not pose a security threat and we do not plan to address it with a security update.”

Misgav said it “eluded” the team why the bug still exists to this day.

Source: ZDNet