Bug In Windows Kernel Could Prevent Security Software From Identifying Malware

An anonymous reader writes: "Malware developers can abuse a programming error in the Windows kernel to prevent security software from identifying if, and when, malicious modules have been loaded at runtime," reports Bleeping Computer. "The bug affects PsSetLoadImageNotifyRoutine, one of the low-level mechanisms some security solutions use to identify when code has been loaded into the kernel or user space. The problem is that an attacker can exploit this bug in a way that PsSetLoadImageNotifyRoutine returns an invalid module name, allowing an attacker to disguise malware as a legitimate operation. The issue came to light earlier this year when enSilo researchers were analyzing the Windows kernel code. Omri Misgav, Security Researcher at enSilo and the one who discovered the issue, says the bug affects all Windows versions released since Windows 2000. Misgav's tests showed that the programming error has survived up to the most recent Windows 10 releases." In an interview, the researcher said Microsoft did not consider this a security issue. Bug technical details are available here.

That's Because

It is the malware.

mostly uninteresting

"the researcher said Microsoft did not consider this a security issue." probably because it's not a security issue. This particular notification is only useful AFTER you have already been screwed over by malware which means the breach has already happened, at that point all bets are off regardless of this bug. still needs fixing but hardly a urgent matter.

Re: mostly uninteresting

[guruevi]

Either way you would want your AV to identify it. What's more surprising is that Microsoft doesn't find it a bug that ANY software can identify itself as something it's not, just think of the logging and troubleshooting issues when your program due to a typo doesn't show up in the log.

Even without AV this is a serious bug.

Windows is full of old bugs

Microsoft has never bothered to fix anything to do with Unicode search, either. Try this out at home, kids:

• paste "Español" into a Notepad window and save it into Unicode, Unicode big-endian, UTF-8 and ANSI text files.
• Try using Windows Explorer to search for Español in that folder - no matches.
• Open a Command Prompt and run: findstr "Español" *.txt - no matches.
• Open a Command Prompt and run: find "Español" *.txt - at least it finds the Unicode little-endian file.

It's been this way since Microsoft introduced UCS-2 in Windows NT4 and UTF-16 in Windows 2000. They don't consider it a bug so they won't acknowledge it requires a fix.

Re:Windows is full of old bugs

This is America. Take your funny characters elsewhere!

Re:Windows is full of old bugs

Why would I care about this when I don't speak Spanish? And the MS team that works on this functionality probably don't speak Spanish either. Ergo they don't consider it a bug. And just out of curiosity do you work on any software that requires the use of Unicode? What can you not do without using Unicode?

So Windows in only used in America?

Re:Windows is full of old bugs

I'm a software dev. A significant chunk of our clients are non-English speakers. I absolutely work on software that requires Unicode. What can't you do without Unicode? You also can't read in data files exported from a user from a different language if the characters aren't in your code page.

Re:Windows is full of old bugs

[Z00L00K]

The MS team that works on Windows today speaks Indian English and probably Hindi or some other obscure language.

Re:Windows is full of old bugs

What's the Spanish equivalent for "kindly write a Jira ticket?"

Re: Windows is full of old bugs

[cyber-vandal]

Por favor, suba un incidente de Jira?

Re:Windows is full of old bugs

You are provably incorrect. At least with Windows 10, saving a file containing "Español" in Unicode or Unicode big-endian with notepad and then using Explorer's search bar to search for "Español" correctly finds both saved files. Also, stop using the command shell and start using powershell which correctly supports utf8. Use this powershell command: 'select-string -path *.txt -pattern "Español"' and it correctly finds both files.

Re: Windows is full of old bugs

[bsDaemon]

por favor haga lo necesario

Re: Windows is full of old bugs

[Entrope]

It takes Microsoft-class, Apple-style courage to rename "grep" to "select-string-path" and call the result a PowerShell.

Re: Windows is full of old bugs

It takes autistic neckbeards to cling to their poorly named 1970s utility names. Of course, if you want that, there is an alias for Select-string: just use 'sst'.

But hey, ignore the fact the the original comment about Windows and Unicode searching is provably false but has been voted up to 4 already. Slashdot is worse than Trump supporters, rallying around anything anti-Microsoft even if it is fake.

Re:Windows is full of old bugs

I am on XP and Windows Explorer did find all 3 formats you've mentioned except the 4th one which is ANSI text files.
The command prompt didn't find all due to the ñ, but it did find if you type "Espa".

I am on XP and my captcha: peasants

Re: Windows is full of old bugs

[Gr8Apes]

It takes autistic neckbeards to cling to their poorly named 1970s utility names.

Waah, I don't like this name, I want it renamed.

Of course, if you want that, there is an alias for Select-string: just use 'sst'.

because look at my great naming scheme!

But hey, ignore the fact the the original comment about Windows and Unicode searching is provably false but has been voted up to 4 already. Slashdot is worse than Trump supporters, rallying around anything anti-Microsoft even if it is fake.

See how smart I am? (and like Trump, I ignore things that prove me wrong)

Re:Windows is full of old bugs

[sexconker]

If that were true, it would only be in Spanish.

Re:Windows is full of old bugs

[sexconker]

Tengo un circo en mis pantalones.

Re: Windows is full of old bugs

[sexconker]

PowerShell supports cmdlet completion though, so it's not a big deal.

Re:Windows is full of old bugs

A bad character parsing could be a sign that something could potentially do some damage:
https://www.secureworks.com/blog/how-to-hide-malware-in-unicode

Re: Windows is full of old bugs

Waah, I don't like this name, I want it renamed.

Such quality trolling.

because look at my great naming scheme!

Because 'grep' is so much better. I suppose you still call your car a wheeled carriage too? Do you refer to your penis as a yard? Or maybe a Pizzle?

See how smart I am? (and like Trump, I ignore things that prove me wrong)

Reading comprehension. You seem to have lost it. Or trolls just ignore it. Either way, you are a s**tposter.

Re:Windows is full of old bugs

Microsoft has never bothered to fix anything to do with Unicode search, either.

Neither has Slashdot, I'm surprised you managed to get the ñ in there. -- And that happened when I tried copy/pasting yours.

Just dreaming.

[Gravis+Zero]

If only there was some way that programs from around the globe could review the kernel of an operating system. No wait, we could expand it to all software and make it some sort of hub for getting software. Oh well, I guess it's one of those impossible things that will never happen. ;)

Re:Just dreaming.

Honestly, it would be better to leave this task to the AIs, since even the best of us humans are still pretty bad at writing bug free code.

Re:Just dreaming.

Honestly, it would be better to leave this task to the AIs, since even the best of us humans are still pretty bad at writing bug free code.

Yeah that'll work just great, just as soon as we humans can write bug-free code so we can have a bug-free AI.

Re: Just dreaming.

[im_thatoneguy]

Good thing critical open source security software has never had a bug. Especially none affecting encryption and authentication of supposedly secure connections.

Re: Just dreaming.

The point is they can be validated and security bugs more easily identified, not that they have fewer bugs.

Re: Just dreaming.

"never"

When a comment includes any of the words never, always or ever, there is a high probability of it being a troll or a straw man argument.

Re: Just dreaming.

Silly. Reading source code to find bugs is actually worse that using a disassembler. The source code can trick you because of various language features that mask what actually happens. Or the compiler can produce unexpected code.

Re:Just dreaming.

[Narcocide]

You didn't know AI was made from software too?

Re: Just dreaming.

• https://en.wiktionary.org/wiki/whataboutery
• don't talk to this guy about his stupid dead cat

Re: Just dreaming.

heartbleed, we are talking about you

Re: Just dreaming.

Good thing we have snarky commenters who prefer security through obscurity, over being able to verify (and run!) the code they depend on.

Re: You know?

Where did you acquire this information? It's clearly not from experience because you lack balls to suck.

Re: You know?

lol, thanks for giving me all of your lunch money, justin

This is not a bug

[mea2214]

Someting that doesn't allow third party anti virus software to detect malware is a feature.

Re:This is not a bug

There has to be an issue list called GovIssue with this feature request somewhere in the Microsoft attic.

Re:This is not a bug

but is there a github repo to patch those?

Re:This is not a bug

Depends on just who is your customer and who is your product.

Hey wait a second

That doesn't sound true at all. I'd even wager a finsky to prove it.

Duh

[Kuruk]

Isnt that 101 malware. Hide for virus protection software.

weren't we told windows was rewritten

I seem to remember reading that Windows was rewritten from the ground, up. Or was it so long ago that it predates the web?

Bug?

[aglider]

Would you bet it's not a backdoor?

Re:Bug?

Lately, too many backdoors have been exposed, so far only single call functions like this one. The reason its there is that under forensic investigation -it could tip off the person being monitored, There is probably a 'no observe' bit there as well. Repeat and rinse for write routines, plus some funky 'LoadImageFromRegistry' function possibly.
First thing to do with this use it to dismiss forensic evidence

Re:Bug?

[thegarbz]

Yes.

In other news I also don't wear a tinfoil hat, the CIA did not drop the trade centre, and we did actually step on the moon.

Re:Bug?

Yes.

In other news I also don't wear a tinfoil hat, the CIA did not drop the trade centre, and we did actually step on the moon.

Prove the last two, otherwise you don't actually "know" those things, you just have faith in them..

Re:Bug?

Regarding the last one, at least, there's credible evidence...

Re:Bug?

[Jack_the_Tripper]

Prove the last two, otherwise you don't actually "know" those things, you just have faith in them..

Well... here's the first one.

Which checkbox?

[ArsenneLupin]

breakingmalware.com - Additional security check is required

Why am I seeing this page?

The website you are visiting is protected and accelerated by Incapsula. Your computer may have been infected by malware and therefore flagged by the Incapsula network. Incapsula displays this page for you to verify that an actual human is the source of the traffic to this site, and not malicious software.

What should I do?

Just click the I'm not a robot checkbox to pass the security check. Incapsula will remember you and will not show this page again. We recommend you run a virus and malware scan on your computer to remove any infection.

Morons!

This isn't news anymore

I've accepted that any software or operating system has bugs, holes, open invitations for hackers. People should even realize that millions of lines of code are not replaced every time a new OS version is released. This makes for good press against whatever software you dislike, or want to create a frenzy for the paranoid who will go out and buy a security suite that isn't affected. But really these things should be reported to the developer to fix and leave it at that.

Starter from scratch

Wait a minute. What did MS mean when they said that "we wrote the new Windows from scratch"?
Didn't they "write from scratch" Windows Vista, Windows 7 and Windows 10?
WTF did they write from scratch then, Paint?

Re:Starter from scratch

That was just a marketing pitch. Did you also believe that the modern once are safer? Marketing pitch too.

Re:Starter from scratch

Oh noes, I fell for it!

when?

You'd think after three decades these people would be able to get this right, but no.

Test

17 ducks

It's "fixed" with Powershell

[The+MAZZTer]

Command Prompt has always been about legacy support. For modern terminal support Microsoft offers Command Prompt... which passes your test find using Select-String. The only variant it fails on is ANSI but I suspect that file did not save properly... I opened it in a few apps and the ñ had been lost.

PS C:\Users\mzzt\Desktop> Select-String

cmdlet Select-String at command pipeline position 1
Supply values for the following parameters:
Pattern[0]: Español
Pattern[1]:
Path[0]: *.txt
Path[1]:

Unicode big endian.txt:1:Español
Unicode.txt:1:Español
UTF-8.txt:1:Español

Re:It's "fixed" with Powershell

I hate Powershell and avoid it extensively.

They need to just make the Command Prompt I already know how to use behave properly (and should just switch //everything// to UTF-8 strings).

A severe memory leak

In the windows kernel will cause windows to use 16GB of ram for nothing and wear out your SSD with constant swapping, finally ending in a blue screen of death in a little over a week.

Duh!

[s.petry]

What can't you do without Unicode?

Operate Slashdot!

Bug, or a feature...

[evolutionary]

Microsoft isn't exactly known for making the most secure software (Windows Defender is often a joke among security software vendors). However, knowing what we now know, that backdoors were in many cases left unpatched (under duress possibly), for government "monitoring" as the CIA has had their noses in MS windows development/feature process for sometime. Windows 10 is particularly vicious on data collection.We may never be sure when the holes are oversights or government "requests" to leave open until someone else discovers it (which they will sooner or later). The UK is trying to force "mandatory" backdoors in security/OS software. That is scary stuff. Will start a whole army of hackers going after software coming from the UK. In China I assume it's already there.

So what?

[alexborges]

Security software does not work. It used to be a good idea back in the day when the internet wasnt everywhere. Now the only thing that is going to work is replacing every single piece of every software in any computer for one designed for security.

Antivirus, malware detection and even firewalls are mostly scams nowdays. IDS/IPS systems are a joke except maybe real good teams that are proficient in snort or sourcefire.

Easy Solution

Easy solution is to avoid this API. Anti-malware firms should just build their own routine and avoid this built-in API. Research is incomplete, they should provide list of AV vendors using this API.

Re: You know?

[sexconker]

also if you tell nerds they are about to get a swirly, they will suck your DAMN balls

I find that a single Iron Palm tends to discourage future attempts at swirlys. Not all geeks are computer geeks heh.

That's a double swirly for you, nerd.

Microsoft Windows = Job Securty

The story behind Dave Cutler and Windows NT was covered in "Showstopper!: The Breakneck Race to Create Windows NT and the Next Generation at Microsoft" by G. Pascal Zachary. A good read. WinNT was developed the same time that Microsoft was still playing nice with IBM and OS/2.

Windows.....

[MerlTurkin]

ROTFLMFAO!

Article is stupid

[chuckugly]

I work in this area, and in fact I've implemented real time AV scanners. The sane way is to write a file filter driver and intercept file operations at that level, because guess what? Not all malware is a PE image. We have to look at everything. I don't know what the designed purpose of this API is, but if security software uses it as the sole means to protect a Windows PC the security software is defective, not the API.