Bug In Windows Kernel Could Prevent Security Software From Identifying Malware

An anonymous reader writes: "Malware developers can abuse a programming error in the Windows kernel to prevent security software from identifying if, and when, malicious modules have been loaded at runtime," reports Bleeping Computer. "The bug affects PsSetLoadImageNotifyRoutine, one of the low-level mechanisms some security solutions use to identify when code has been loaded into the kernel or user space. The problem is that an attacker can exploit this bug in a way that PsSetLoadImageNotifyRoutine returns an invalid module name, allowing an attacker to disguise malware as a legitimate operation. The issue came to light earlier this year when enSilo researchers were analyzing the Windows kernel code. Omri Misgav, Security Researcher at enSilo and the one who discovered the issue, says the bug affects all Windows versions released since Windows 2000. Misgav's tests showed that the programming error has survived up to the most recent Windows 10 releases." In an interview, the researcher said Microsoft did not consider this a security issue. Bug technical details are available here.

Re:

[sexconker]

also if you tell nerds they are about to get a swirly, they will suck your DAMN balls

I find that a single Iron Palm tends to discourage future attempts at swirlys. Not all geeks are computer geeks heh.

That's a double swirly for you, nerd.

That's Because

[Anonymous Coward]

It is the malware.

mostly uninteresting

[Anonymous Coward]

"the researcher said Microsoft did not consider this a security issue." probably because it's not a security issue. This particular notification is only useful AFTER you have already been screwed over by malware which means the breach has already happened, at that point all bets are off regardless of this bug. still needs fixing but hardly a urgent matter.

Re: mostly uninteresting

[guruevi]

Either way you would want your AV to identify it. What's more surprising is that Microsoft doesn't find it a bug that ANY software can identify itself as something it's not, just think of the logging and troubleshooting issues when your program due to a typo doesn't show up in the log.

Even without AV this is a serious bug.

Windows is full of old bugs

[Anonymous Coward]

Microsoft has never bothered to fix anything to do with Unicode search, either. Try this out at home, kids:

• paste "Español" into a Notepad window and save it into Unicode, Unicode big-endian, UTF-8 and ANSI text files.
• Try using Windows Explorer to search for Español in that folder - no matches.
• Open a Command Prompt and run: findstr "Español" *.txt - no matches.
• Open a Command Prompt and run: find "Español" *.txt - at least it finds the Unicode little-endian file.

It's been this way since Microsoft introduced UCS-2 in Windows NT4 and UTF-16 in Windows 2000. They don't consider it a bug so they won't acknowledge it requires a fix.

Re:

[sexconker]

If that were true, it would only be in Spanish.

Duh!

[s.petry]

What can't you do without Unicode?

Operate Slashdot!

Re:

[Z00L00K]

The MS team that works on Windows today speaks Indian English and probably Hindi or some other obscure language.

Re: Windows is full of old bugs

[cyber-vandal]

Por favor, suba un incidente de Jira?

Re: Windows is full of old bugs

[bsDaemon]

por favor haga lo necesario

Re:

[sexconker]

Tengo un circo en mis pantalones.

Re:

[Anonymous Coward]

This is America. Take your funny characters elsewhere! [widgetsandshit.com]

Re: Windows is full of old bugs

[Entrope]

It takes Microsoft-class, Apple-style courage to rename "grep" to "select-string-path" and call the result a PowerShell.

Re:

[sexconker]

PowerShell supports cmdlet completion though, so it's not a big deal.

It's "fixed" with Powershell

[The MAZZTer]

Command Prompt has always been about legacy support. For modern terminal support Microsoft offers Command Prompt... which passes your test find using Select-String. The only variant it fails on is ANSI but I suspect that file did not save properly... I opened it in a few apps and the ñ had been lost.

PS C:\Users\mzzt\Desktop> Select-String

cmdlet Select-String at command pipeline position 1
Supply values for the following parameters:
Pattern[0]: Español
Pattern[1]:
Path[0]: *.txt
Path[1]:

Unicode big endian.txt:1:Español
Unicode.txt:1:Español
UTF-8.txt:1:Español

Just dreaming.

[Gravis Zero]

If only there was some way that programs from around the globe could review the kernel of an operating system. No wait, we could expand it to all software and make it some sort of hub for getting software. Oh well, I guess it's one of those impossible things that will never happen. ;)

Re:

[Narcocide]

You didn't know AI was made from software too?

Re: Just dreaming.

[im_thatoneguy]

Good thing critical open source security software has never had a bug. Especially none affecting encryption and authentication of supposedly secure connections.

This is not a bug

[mea2214]

Someting that doesn't allow third party anti virus software to detect malware is a feature.

Duh

[Kuruk]

Isnt that 101 malware. Hide for virus protection software.

Bug?

[aglider]

Would you bet it's not a backdoor?

Re:

[thegarbz]

Yes.

In other news I also don't wear a tinfoil hat, the CIA did not drop the trade centre, and we did actually step on the moon.

Re:

[Anonymous Coward]

Yes.

In other news I also don't wear a tinfoil hat, the CIA did not drop the trade centre, and we did actually step on the moon.

Prove the last two, otherwise you don't actually "know" those things, you just have faith in them..

Re:

[Jack_the_Tripper]

Prove the last two, otherwise you don't actually "know" those things, you just have faith in them..

Well... here's the first one [xkcd.com].

Which checkbox?

[ArsenneLupin]

breakingmalware.com - Additional security check is required

Why am I seeing this page?

The website you are visiting is protected and accelerated by Incapsula. Your computer may have been infected by malware and therefore flagged by the Incapsula network. Incapsula displays this page for you to verify that an actual human is the source of the traffic to this site, and not malicious software.

What should I do?

Just click the I'm not a robot checkbox to pass the security check. Incapsula will remember you a

Bug, or a feature...

[evolutionary]

Microsoft isn't exactly known for making the most secure software (Windows Defender is often a joke among security software vendors). However, knowing what we now know, that backdoors were in many cases left unpatched (under duress possibly), for government "monitoring" as the CIA has had their noses in MS windows development/feature process for sometime. Windows 10 is particularly vicious on data collection.We may never be sure when the holes are oversights or government "requests" to leave open until some

So what?

[alexborges]

Security software does not work. It used to be a good idea back in the day when the internet wasnt everywhere. Now the only thing that is going to work is replacing every single piece of every software in any computer for one designed for security.

Antivirus, malware detection and even firewalls are mostly scams nowdays. IDS/IPS systems are a joke except maybe real good teams that are proficient in snort or sourcefire.

Windows.....

[MerlTurkin]

ROTFLMFAO!

Article is stupid

[chuckugly]

I work in this area, and in fact I've implemented real time AV scanners. The sane way is to write a file filter driver and intercept file operations at that level, because guess what? Not all malware is a PE image. We have to look at everything. I don't know what the designed purpose of this API is, but if security software uses it as the sole means to protect a Windows PC the security software is defective, not the API.