The flaw affects a low-level interface, identified as PsSetLoadImageNotifyRoutine, that states when a module has been placed into the Windows kernel. The flaw can allow an intruder to forge the name of a full module, a way that can lure third-party security products, and provide malicious actions without any notice.
Omri Misgav, a safety researcher at enSilo, who also composed a blog post on the bug, said that the flaw appears to be a “programming error” in the kernel.
All variants of Windows are affected.
PsSetLoadImageNotifyRoutine was first introduced in Windows 2000 to notify drivers, such as those powering safety products, when a module is placed into a process and the module’s address in memory, providing security products to track modules.
But the researchers noticed that Windows doesn’t ever return the correct result, determining security products such as anti-malware doesn’t recognize which malicious file to scan.
“Any security vendor that relies on the data supplied by this information routine may be tricked into looking at the corrupt module at load time,” Misgav told News. He continued that enSilo had not examined any specific security products.
The researchers probed Microsoft’s own documentation, which has “no mention” of void paths.
Misgav wrote that in order to replicate the bug, a user would have to make a series of simple file operations. “Once these actions are performed the information routine will receive an incorrect path,” he said.
But Microsoft “did not consider it as a security issue,” said Misgav.
When contacted, a Microsoft spokesperson said: “Our technicians reviewed the data and determined this does not pose a safety threat and we do not plan to address it with a security update.”
Take your time to comment on this article.
