Please create an account to participate in the Slashdot moderation system


Forgot your password?
Bug Microsoft Windows Privacy Programming Security Software

Bug In Windows Kernel Could Prevent Security Software From Identifying Malware ( 75

An anonymous reader writes: "Malware developers can abuse a programming error in the Windows kernel to prevent security software from identifying if, and when, malicious modules have been loaded at runtime," reports Bleeping Computer. "The bug affects PsSetLoadImageNotifyRoutine, one of the low-level mechanisms some security solutions use to identify when code has been loaded into the kernel or user space. The problem is that an attacker can exploit this bug in a way that PsSetLoadImageNotifyRoutine returns an invalid module name, allowing an attacker to disguise malware as a legitimate operation. The issue came to light earlier this year when enSilo researchers were analyzing the Windows kernel code. Omri Misgav, Security Researcher at enSilo and the one who discovered the issue, says the bug affects all Windows versions released since Windows 2000. Misgav's tests showed that the programming error has survived up to the most recent Windows 10 releases." In an interview, the researcher said Microsoft did not consider this a security issue. Bug technical details are available here.
This discussion has been archived. No new comments can be posted.

Bug In Windows Kernel Could Prevent Security Software From Identifying Malware

Comments Filter:
  • by Anonymous Coward

    It is the malware.

  • by Anonymous Coward
    "the researcher said Microsoft did not consider this a security issue." probably because it's not a security issue. This particular notification is only useful AFTER you have already been screwed over by malware which means the breach has already happened, at that point all bets are off regardless of this bug. still needs fixing but hardly a urgent matter.
    • Either way you would want your AV to identify it. What's more surprising is that Microsoft doesn't find it a bug that ANY software can identify itself as something it's not, just think of the logging and troubleshooting issues when your program due to a typo doesn't show up in the log.

      Even without AV this is a serious bug.

  • by Anonymous Coward on Friday September 08, 2017 @12:15AM (#55157205)

    Microsoft has never bothered to fix anything to do with Unicode search, either. Try this out at home, kids:

    • paste "Español" into a Notepad window and save it into Unicode, Unicode big-endian, UTF-8 and ANSI text files.
    • Try using Windows Explorer to search for Español in that folder - no matches.
    • Open a Command Prompt and run: findstr "Español" *.txt - no matches.
    • Open a Command Prompt and run: find "Español" *.txt - at least it finds the Unicode little-endian file.

    It's been this way since Microsoft introduced UCS-2 in Windows NT4 and UTF-16 in Windows 2000. They don't consider it a bug so they won't acknowledge it requires a fix.

  • Just dreaming. (Score:3, Interesting)

    by Gravis Zero ( 934156 ) on Friday September 08, 2017 @12:21AM (#55157225)

    If only there was some way that programs from around the globe could review the kernel of an operating system. No wait, we could expand it to all software and make it some sort of hub for getting software. Oh well, I guess it's one of those impossible things that will never happen. ;)

  • This is not a bug (Score:4, Insightful)

    by mea2214 ( 935585 ) on Friday September 08, 2017 @12:58AM (#55157315)
    Someting that doesn't allow third party anti virus software to detect malware is a feature.
  • by Kuruk ( 631552 )
    Isnt that 101 malware. Hide for virus protection software.
  • Would you bet it's not a backdoor?

    • Yes.

      In other news I also don't wear a tinfoil hat, the CIA did not drop the trade centre, and we did actually step on the moon.

      • by Anonymous Coward


        In other news I also don't wear a tinfoil hat, the CIA did not drop the trade centre, and we did actually step on the moon.

        Prove the last two, otherwise you don't actually "know" those things, you just have faith in them..

  • - Additional security check is required

    Why am I seeing this page?

    The website you are visiting is protected and accelerated by Incapsula. Your computer may have been infected by malware and therefore flagged by the Incapsula network. Incapsula displays this page for you to verify that an actual human is the source of the traffic to this site, and not malicious software.

    What should I do?

    Just click the I'm not a robot checkbox to pass the security check. Incapsula will remember you a

  • Microsoft isn't exactly known for making the most secure software (Windows Defender is often a joke among security software vendors). However, knowing what we now know, that backdoors were in many cases left unpatched (under duress possibly), for government "monitoring" as the CIA has had their noses in MS windows development/feature process for sometime. Windows 10 is particularly vicious on data collection.We may never be sure when the holes are oversights or government "requests" to leave open until some
  • Security software does not work. It used to be a good idea back in the day when the internet wasnt everywhere. Now the only thing that is going to work is replacing every single piece of every software in any computer for one designed for security.

    Antivirus, malware detection and even firewalls are mostly scams nowdays. IDS/IPS systems are a joke except maybe real good teams that are proficient in snort or sourcefire.

  • I work in this area, and in fact I've implemented real time AV scanners. The sane way is to write a file filter driver and intercept file operations at that level, because guess what? Not all malware is a PE image. We have to look at everything. I don't know what the designed purpose of this API is, but if security software uses it as the sole means to protect a Windows PC the security software is defective, not the API.

Today is a good day for information-gathering. Read someone else's mail file.