Researchers claim a programming error in the Microsoft Windows kernel cracks the door open for malicious executables to bypass security software. The flaw, according to security firm EnSilo, has been present on previous versions of Windows dating back to Windows 2000 and can be found on Windows 10 as well.
“The bug is a programming error in the Windows kernel that could prevent security vendors from identifying which modules have been loaded at runtime,” said Omri Misgav, a security researcher at EnSilo.
Researchers found the error within the application protocol interface “PsSetLoadImageNotifyRoutine” which notifies module loading. In certain instances, a specially crafted malicious executable file that utilizes this API could fail to trigger warnings and inspection of the file by endpoint security software protecting the targeted PC.
“In order for security software to protect a system, it needs to know what file is being loaded and whether it should be stopped,” Misgav said. “Because of this bug, sometimes the OS doesn’t give accurate information about what is happening and could let a malicious file or command inadvertently enter the system.”
In response to the claim, Microsoft issued the following brief statement to Threatpost: “Our engineers reviewed the information and determined this does not pose a security threat and we do not plan to address it with a security update.”
EnSilo doesn’t consider the PsSetLoadImageNotifyRoutine API bug a vulnerability, per se.
“An attacker first has to gain a foothold on a machine so that it can force the operating system to manifest the bug,” Misgav said. In one scenario, the programming error could be leveraged in conjunction with an injection type of attack similar to Process Hollowing and AtomBombing.
Once a system is under attack, this API can be abused in a way to further facilitate a system compromise. “You can use this technique to trick the security vendor to mis-scan a file and download other malicious files,” Misgav said.
In a technical analysis of the bug by EnSilo posted Tuesday, researchers said they spotted the programming error after registering a notification routine with PsSetLoadImageNotifyRoutine. The loaded PE images with the Windows kernel generated the notification: “the callback may receive invalid image names.”
“After digging into the matter, what started as a seemingly random issue proved to originate from a coding error in the Windows kernel itself,” researchers wrote.
“At first glance, we noticed that while we do get the full path of the process executable file and constant values for system DLLs (that are missing the volume name), for the rest of the dynamically loaded user-mode PEs the paths provided are missing the volume name,” researchers wrote. “What’s more alarming is that not only does that path come without the volume name, sometimes the path is completely malformed, and could point to a different or non-existing file.”
PsSetLoadImageNotifyRoutine, is a mechanism that notifies registered drivers, from various parts in the kernel, when a PE image file has been loaded to virtual memory.