Windows Kernel Bug Attacks Windows Systems

0
58

The enSilo security researchers warn that a kernel bug which has been impacting Windows systems over the past decade and a half, has remained unpatched.

According to the experts, the kernel bug has appeared as a result of a programming error and it prevents security vendors from identifying modules which have been loaded at runtime.

The researchers claim that this issue impacts the PsSetLoadImageNotifyRoutine function which should notify of module loading. Nevertheless, the experts found that, “after registering a notification routine for loaded PE images with the kernel, the callback may receive invalid image names.”

According to the researchers, the kernel bug has affected recent Windows 10 releases, as well as older versions of the operating system all the way back to Windows 2000.

The PsSetLoadImageNotifyRoutine function was presented as a mechanism for notifying “registered drivers from different parts in the kernel when a PE image file has been loaded to virtual memory (kernel\user space).”

After invoking the registered notification routine, the kernel supplies a series of parameters that enable the proper identification of the PE image being loaded. These parameters are featured in the prototype definition of the callback function.

To solve the issue, Microsoft recommends using of a file-system mini-filter callback for monitoring PEs which are loaded to memory as executable code, however, the security experts argue that this method can’t be used to “determine whether the section object is being created for the loading of a PE image or not.”

According to the enSilo experts, the parameter which is capable of identifying the loaded PE file is the FullImageName parameter, though, the kernel uses a different format for FullImageName and the paths provided for some dynamically loaded user-mode PEs are missing the volume name. Besides, in some instances, the path is completely malformed, pointing to a different or non-existing file.

The co-founder and CTO of enSilo Udi Yavo, confirmed that they reported their findings to Microsoft in January this year, but the corporation didn’t consider this as a security issue.

SHARE
Nelly Vladimirova
Nelly Vladimirova has been working as a journalist since 1998 with a main focus on Finance, Economics, and IT. In 2004 she graduated the University of Plovdiv, Bulgaria, as a Bachelor in English Philology and Master in Linguistics and Translation. Later, Nelly received a postgraduate certificate in Business Management from Scott's College, UK. Presently, she is presenting the latest news related to computer security at www.virusguides.com.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Time limit is exhausted. Please reload CAPTCHA.