Core Windows Utility Can Be Used To Bypass Whitelisting

Reader msm1267 writes: A core Windows command-line utility, Regsvr32, used to register DLLs to the Windows Registry can be abused to run remote code from the Internet, bypassing whitelisting protections such as Microsoft's AppLocker. A researcher who requested anonymity found and recently privately disclosed the issue to Microsoft. It's unknown whether Microsoft will patch this issue with a security bulletin, or in a future release. Regsvr32, also known as Microsoft Register Server, is a Microsoft-signed binary that runs as default on Windows. The researcher's proof-of-concept allows him to download and run JavaScript or VBScript from a URL provided via the command line. "There's really no patch for this; it's not an exploit. It's just using the tool in an unorthodox manner. It's a bypass, an evasion tactic," the researcher said.The Register reports: "It's built-in remote code execution without admin rights and which bypasses Windows whitelisting. I'd say it's pretty bad," said Alex Ionescu, a Windows and ARM kernel guru. The trick -- Smith didn't want to call it an exploit -- is neat because it does not touch the Registry, does not need administrator rights, can be wrapped up in an encrypted HTTP session, and should leave no trace on disk as it's a pure to-memory download. No patch exists for this, although regsvr32 can be firewalled off from the internet. Microsoft was not available for immediate comment.

Re:Not surprised

[Nunya666]

What are you, 12? The "M$" shit is getting old. I've seen that crap for 20 fucking years.

What are you, 10?

Just because a fucking abbreviation has been used for 20 years, it can no longer be used?

M$ is a behemoth and a corporate bully. I hope the malware known as Windows 10 cripples M$ to the point that they lose all clout within their industry.

There, I said it - M$, M$, M$

If you have something legitimate to bring to the conversation, then please do so. If not, then shut the fuck up.