Core Windows Utility Can Be Used To Bypass Whitelisting (threatpost.com)
Reader msm1267 writes: A core Windows command-line utility, Regsvr32, used to register DLLs to the Windows Registry can be abused to run remote code from the Internet, bypassing whitelisting protections such as Microsoft's AppLocker. A researcher who requested anonymity found and recently privately disclosed the issue to Microsoft. It's unknown whether Microsoft will patch this issue with a security bulletin, or in a future release. Regsvr32, also known as Microsoft Register Server, is a Microsoft-signed binary that runs as default on Windows. The researcher's proof-of-concept allows him to download and run JavaScript or VBScript from a URL provided via the command line. "There's really no patch for this; it's not an exploit. It's just using the tool in an unorthodox manner. It's a bypass, an evasion tactic," the researcher said.The Register reports: "It's built-in remote code execution without admin rights and which bypasses Windows whitelisting. I'd say it's pretty bad," said Alex Ionescu, a Windows and ARM kernel guru. The trick -- Smith didn't want to call it an exploit -- is neat because it does not touch the Registry, does not need administrator rights, can be wrapped up in an encrypted HTTP session, and should leave no trace on disk as it's a pure to-memory download. No patch exists for this, although regsvr32 can be firewalled off from the internet. Microsoft was not available for immediate comment.
Shellshock and the recent glibc vulnerabilities were big deals because Linux-stacks are widely expected to be secure. On the other hand, the Microsoft ecosystem is so plagued with exploits and vulnerabilities, that Slashdot would consist of nothing but security advisories for Windows if we reported all of them.
Sure glad I dumped Windows about 5 years ago. I used/supported it for nearly 20 years, but after I retired in 2010, I decided I was done with it.. Looks like I made the right decision...
THANK YOU, Edward Snowden!! Americans owe you a debt of gratitude (whether they know it or not..)