Security Apps Fail to Detect Malware Threats Due to Windows Kernel Bug

According to security researchers, there is a decade old bug in Windows kernel that can be easily exploited to prevent security apps from identifying malicious programs loaded at runtime.

The bug is so old that it dates back to Windows 2000 and is found in all the subsequent Windows OS versions including the most recent release while the actual issue underlies with the PsSetLoadImageNotifyRoutine. This is a feature in Microsoft OS that notifies developers about the drives that are newly registered. Therefore, the bug is quite serious as it renders security tools useless as it blocks the program’s ability to detect malware threats.

Related: OLE flaw lets malware infected PowerPoint files evade antivirus detection

As per the blog post from security firm enSilo, the issue is a random one that originated from a “coding error in the Windows kernel” while the error is present in the recently released version of Windows OS, the Windows 10 as well as the previous versions since the release of Windows 2000.

It is rather ironic that the bug affects PsSetLoadImageNotifyRoutine since the basic purpose of this routine was to identify malware threats and prevent them from entering the Windows system. The routine was introduced as a method to notify registered drivers in different parts of the kernel when a “PE image file” is loaded to virtual memory, i-e, (kernel\user space).

Researchers identified that “after registering a notification routine for loaded PE images with the kernel the callback may receive invalid image names.”

This means, when the registered notification routine was invoked, the kernel supplied a series of parameters, which then initiated proper identification of the PE image that was being loaded. The parameters are part of the prototype definition of the callback function.

Security researcher Omri Misgav stated that Microsoft Security Response Center was notified about the bug, but the company doesn’t see this as a critical security issue at all. enSilo founder and CTO Udi Yavo also noted that he notified Microsoft about the issue back in January but to no avail.

”This flaw exists in the most recent Windows 10 release and past versions of the OS, dating back to Windows 2000″

“This bug has security implications on security vendors that rely on Microsoft documentation when using the API in order to monitor loaded files. Since there is no documentation of the bug and no formal workaround, this can potentially cause security vendors to miss malware. We are not aware of any intention to create a fix to this,” Yavo told SecurityWeek.

Yavo however, admitted that the routine doesn’t function as it is being specified.

“Some references indicate the bug was somewhat known, but… its root cause and full implications weren’t described in detail up until now,” read the blog post on enSilo.

To resolve the issue, Microsoft suggests using a file-system mini-filter callback to monitor PE image files loaded to the virtual memory as executable code. However, researchers claim that this method is useless because it cannot be used to determine if the section object is created for the loading of PE image file or not since enSilo researchers have noted that the parameter that identified the loaded PE image file effectively is the FullImageName parameter.

They also claimed that kernel utilizes an entirely different format for FullImageName. The paths that are provided for dynamically loaded user-mode PE files don’t have the volume name, and in some instances, the path is malformed to such an extent that it even points to a completely different file and sometimes it leads to a non-existent file altogether.

Researchers conclude after thorough analysis that the Cache Manager and the way file-system driver maintains file name are responsible for the errors and a coding error eventually causes the invalid name issue to take place.

Related: Microsoft not releasing patch for 20-year-old SMB flaw

Related Posts