Unpatched Windows Kernel Bug Could Help Malware Hinder Detection

A 17-year-old programming error has been discovered in Microsoft's Windows kernel that could prevent some security software from detecting malware at runtime when loaded into system memory.

The security issue, described by enSilo security researcher Omri Misgav, resides in the kernel routine "PsSetLoadImageNotifyRoutine," which apparently impacts all versions of Windows operating systems since Windows 2000.

Windows has a built-in API, called PsSetLoadImageNotifyRoutine, that helps programs monitor if any new module has been loaded into memory. Once registered, the program receives notification each time a module is loaded into memory. This notification includes the path to the module on disk.

However, Misgav found that due to "caching behaviour, along with the way the file-system driver maintains the file name and a severe coding error," the function doesn't always return the correct path of the loaded modules.

What's bad? It seems like Microsoft has no plans to address this issue, as the software giant does not consider it as a security vulnerability.

"This bug could have security implications for those who aren’t aware of its existence. We believe that if Microsoft does not plan on fixing this bug, they should at least explicitly warn developers about it in their documentation," says Tal Liberman, head of the research team at enSilo.

The researchers believe this "programmatic error" could theoretically be used by malware authors to bypass antivirus detection—especially those security products which rely on this API to check if any malicious code has been loaded into memory—using a "series of file operations" to mislead the scanning engine into looking at the wrong file.

So, if your endpoint detection and response products rely on this buggy API, you should either consider not using it or must implement the workaround introduced by the researcher to overcome the loophole.

In a separate blog post, Misgav advised software developers to use another Windows API (FltGetFileNameInformationUnsafe) to check the validity of the module's path using the file object parameter.

If the file exists, it is possible to verify that the file object being loaded into memory is indeed the same file that lies on disk.

For a more technical explanation, you can head on to enSilo's blog.

In separate news, security researchers from Check Point reported about a new attack technique, dubbed Bashware, which takes advantage of Windows built-in Linux subsystem to hide malware from the most security solutions.