Slashdot Mirror

← Back to Stories (view on slashdot.org)

Core Windows Utility Can Be Used To Bypass Whitelisting (threatpost.com)

Posted by msmash on from the another-day,-another-Windows-vulnerability dept.

Reader msm1267 writes: A core Windows command-line utility, Regsvr32, used to register DLLs to the Windows Registry can be abused to run remote code from the Internet, bypassing whitelisting protections such as Microsoft's AppLocker. A researcher who requested anonymity found and recently privately disclosed the issue to Microsoft. It's unknown whether Microsoft will patch this issue with a security bulletin, or in a future release. Regsvr32, also known as Microsoft Register Server, is a Microsoft-signed binary that runs as default on Windows. The researcher's proof-of-concept allows him to download and run JavaScript or VBScript from a URL provided via the command line. "There's really no patch for this; it's not an exploit. It's just using the tool in an unorthodox manner. It's a bypass, an evasion tactic," the researcher said.The Register reports: "It's built-in remote code execution without admin rights and which bypasses Windows whitelisting. I'd say it's pretty bad," said Alex Ionescu, a Windows and ARM kernel guru. The trick -- Smith didn't want to call it an exploit -- is neat because it does not touch the Registry, does not need administrator rights, can be wrapped up in an encrypted HTTP session, and should leave no trace on disk as it's a pure to-memory download. No patch exists for this, although regsvr32 can be firewalled off from the internet. Microsoft was not available for immediate comment.

4 of 118 comments (clear)

  1. Re:Not surprised by Anonymous Coward · · Score: 0, Insightful

    What are you, 12? The "M$" shit is getting old. I've seen that crap for 20 fucking years.

    I'm sure Linux related companies like RedHat are non-profit and motivated strictly by a desire to improve the computing world. Money has no involvement whatsoever. I'm sure poor, broke Torvalds is frustrated from having to mooch free wifi from neighboring Starbucks while living under the highway overpass.

  2. Re:Not surprised by LichtSpektren · · Score: 2, Insightful

    Neither Linus Torvalds nor Red Hat have used illicit monopolist tactics to dominate the market. Hence why we don't say "Linu$", but we do say "M$".

  3. I'd laugh by JustAnotherOldGuy · · Score: 1, Insightful

    I'd laugh, except the regular "exploit du jour" thing just isn't funny any more.

    Honestly, Windows has more holes than a Chinese whorehouse. Is it ever going to be a secure operating system?

    --
    Just cruising through this digital world at 33 1/3 rpm...
  4. Re:Not surprised by myowntrueself · · Score: 4, Insightful

    Neither Linus Torvalds nor Red Hat have used illicit monopolist tactics to dominate the market. Hence why we don't say "Linu$", but we do say "M$".

    Redhat used illicit monopolist tactics to force systemd on the rest of the Linux community

    *ducks*

    --
    In the free world the media isn't government run; the government is media run.