Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bug In Windows Kernel Could Prevent Security Software From Identifying Malware (bleepingcomputer.com)

Posted by BeauHD on from the security-issues dept.

An anonymous reader writes: "Malware developers can abuse a programming error in the Windows kernel to prevent security software from identifying if, and when, malicious modules have been loaded at runtime," reports Bleeping Computer. "The bug affects PsSetLoadImageNotifyRoutine, one of the low-level mechanisms some security solutions use to identify when code has been loaded into the kernel or user space. The problem is that an attacker can exploit this bug in a way that PsSetLoadImageNotifyRoutine returns an invalid module name, allowing an attacker to disguise malware as a legitimate operation. The issue came to light earlier this year when enSilo researchers were analyzing the Windows kernel code. Omri Misgav, Security Researcher at enSilo and the one who discovered the issue, says the bug affects all Windows versions released since Windows 2000. Misgav's tests showed that the programming error has survived up to the most recent Windows 10 releases." In an interview, the researcher said Microsoft did not consider this a security issue. Bug technical details are available here.

28 of 75 comments (clear)

  1. That's Because by Anonymous Coward · · Score: 2, Funny

    It is the malware.

  2. mostly uninteresting by Anonymous Coward · · Score: 1

    "the researcher said Microsoft did not consider this a security issue." probably because it's not a security issue. This particular notification is only useful AFTER you have already been screwed over by malware which means the breach has already happened, at that point all bets are off regardless of this bug. still needs fixing but hardly a urgent matter.

  3. Windows is full of old bugs by Anonymous Coward · · Score: 5, Interesting

    Microsoft has never bothered to fix anything to do with Unicode search, either. Try this out at home, kids:

    • paste "Español" into a Notepad window and save it into Unicode, Unicode big-endian, UTF-8 and ANSI text files.
    • Try using Windows Explorer to search for Español in that folder - no matches.
    • Open a Command Prompt and run: findstr "Español" *.txt - no matches.
    • Open a Command Prompt and run: find "Español" *.txt - at least it finds the Unicode little-endian file.

    It's been this way since Microsoft introduced UCS-2 in Windows NT4 and UTF-16 in Windows 2000. They don't consider it a bug so they won't acknowledge it requires a fix.

    1. Re:Windows is full of old bugs by Anonymous Coward · · Score: 1

      This is America. Take your funny characters elsewhere!

    2. Re:Windows is full of old bugs by Z00L00K · · Score: 1

      The MS team that works on Windows today speaks Indian English and probably Hindi or some other obscure language.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    3. Re: Windows is full of old bugs by cyber-vandal · · Score: 2

      Por favor, suba un incidente de Jira?

    4. Re: Windows is full of old bugs by bsDaemon · · Score: 1

      por favor haga lo necesario

    5. Re: Windows is full of old bugs by Entrope · · Score: 2, Insightful

      It takes Microsoft-class, Apple-style courage to rename "grep" to "select-string-path" and call the result a PowerShell.

    6. Re:Windows is full of old bugs by sexconker · · Score: 1

      If that were true, it would only be in Spanish.

    7. Re:Windows is full of old bugs by sexconker · · Score: 1

      Tengo un circo en mis pantalones.

    8. Re: Windows is full of old bugs by sexconker · · Score: 1

      PowerShell supports cmdlet completion though, so it's not a big deal.

  4. Just dreaming. by Gravis+Zero · · Score: 2, Interesting

    If only there was some way that programs from around the globe could review the kernel of an operating system. No wait, we could expand it to all software and make it some sort of hub for getting software. Oh well, I guess it's one of those impossible things that will never happen. ;)

    --
    Anons need not reply. Questions end with a question mark.
    1. Re: Just dreaming. by im_thatoneguy · · Score: 1

      Good thing critical open source security software has never had a bug. Especially none affecting encryption and authentication of supposedly secure connections.

    2. Re:Just dreaming. by Narcocide · · Score: 1

      You didn't know AI was made from software too?

  5. This is not a bug by mea2214 · · Score: 3, Insightful

    Someting that doesn't allow third party anti virus software to detect malware is a feature.

  6. Duh by Kuruk · · Score: 2

    Isnt that 101 malware. Hide for virus protection software.

  7. Bug? by aglider · · Score: 1

    Would you bet it's not a backdoor?

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
    1. Re:Bug? by thegarbz · · Score: 1

      Yes.

      In other news I also don't wear a tinfoil hat, the CIA did not drop the trade centre, and we did actually step on the moon.

    2. Re:Bug? by Anonymous Coward · · Score: 1

      Yes.

      In other news I also don't wear a tinfoil hat, the CIA did not drop the trade centre, and we did actually step on the moon.

      Prove the last two, otherwise you don't actually "know" those things, you just have faith in them..

    3. Re:Bug? by Jack_the_Tripper · · Score: 1

      Prove the last two, otherwise you don't actually "know" those things, you just have faith in them..

      Well... here's the first one.

  8. Which checkbox? by ArsenneLupin · · Score: 1
    breakingmalware.com - Additional security check is required

    Why am I seeing this page?

    The website you are visiting is protected and accelerated by Incapsula. Your computer may have been infected by malware and therefore flagged by the Incapsula network. Incapsula displays this page for you to verify that an actual human is the source of the traffic to this site, and not malicious software.

    What should I do?

    Just click the I'm not a robot checkbox to pass the security check. Incapsula will remember you and will not show this page again. We recommend you run a virus and malware scan on your computer to remove any infection.

    Morons!

  9. It's "fixed" with Powershell by The+MAZZTer · · Score: 3, Insightful

    Command Prompt has always been about legacy support. For modern terminal support Microsoft offers Command Prompt... which passes your test find using Select-String. The only variant it fails on is ANSI but I suspect that file did not save properly... I opened it in a few apps and the ñ had been lost.

    PS C:\Users\mzzt\Desktop> Select-String

    cmdlet Select-String at command pipeline position 1
    Supply values for the following parameters:
    Pattern[0]: Español
    Pattern[1]:
    Path[0]: *.txt
    Path[1]:

    Unicode big endian.txt:1:Español
    Unicode.txt:1:Español
    UTF-8.txt:1:Español

  10. Duh! by s.petry · · Score: 1

    What can't you do without Unicode?

    Operate Slashdot!

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  11. Bug, or a feature... by evolutionary · · Score: 1

    Microsoft isn't exactly known for making the most secure software (Windows Defender is often a joke among security software vendors). However, knowing what we now know, that backdoors were in many cases left unpatched (under duress possibly), for government "monitoring" as the CIA has had their noses in MS windows development/feature process for sometime. Windows 10 is particularly vicious on data collection.We may never be sure when the holes are oversights or government "requests" to leave open until someone else discovers it (which they will sooner or later). The UK is trying to force "mandatory" backdoors in security/OS software. That is scary stuff. Will start a whole army of hackers going after software coming from the UK. In China I assume it's already there.

    --
    "Imagination is more important than knowledge" - Einstein
  12. So what? by alexborges · · Score: 1

    Security software does not work. It used to be a good idea back in the day when the internet wasnt everywhere. Now the only thing that is going to work is replacing every single piece of every software in any computer for one designed for security.

    Antivirus, malware detection and even firewalls are mostly scams nowdays. IDS/IPS systems are a joke except maybe real good teams that are proficient in snort or sourcefire.

    --
    NO SIG
  13. Re: You know? by sexconker · · Score: 1

    also if you tell nerds they are about to get a swirly, they will suck your DAMN balls

    I find that a single Iron Palm tends to discourage future attempts at swirlys. Not all geeks are computer geeks heh.

    That's a double swirly for you, nerd.

  14. Windows..... by MerlTurkin · · Score: 1

    ROTFLMFAO!

  15. Article is stupid by chuckugly · · Score: 1

    I work in this area, and in fact I've implemented real time AV scanners. The sane way is to write a file filter driver and intercept file operations at that level, because guess what? Not all malware is a PE image. We have to look at everything. I don't know what the designed purpose of this API is, but if security software uses it as the sole means to protect a Windows PC the security software is defective, not the API.