Monday, 25 April 2016 06:07

"New" flaw in Windows bypasses App Locker settings

Written by

Reading time is around minutes.

There is nothing like finding out that all of your protections are useless. This is almost what happened when security researchers found a massive hole in the Windows App Locker protection. Although the news that there is a flaw in any software, much less Windows will come as no surprise it is still a little odd that this one made it through QA testing. The flaw is one that very simple and has already been seen in the wild over the last couple of days. All you need to do to execute code on a system is to direct Regsvr32 to a remotely hosted file. Security researcher Casey Smith found this handy little tidbit of information and states that you do not even need to elevate privileges to get it to work.

Poisoned sites or malformed documents seem to be the most likely venues for this type of attack (including ones on file sharing sites). Tracking this with a process monitor we see the script (etc.) a command prompt, then Regsvr32, and then a netconn connection opens up pointing to the file in question. From there the payload is executed and the fun begins. What makes this more dangerous is that many web filters are failing to catch this as it happens. It means that you are putting the security of your network in the hands of your antimalware application. Sadly far too many of them either miss the malware or do not run quickly enough to stop the infection before it executes.

There are some suggestions to mitigate this vulnerability and they make sense. Regsvr32 should be blocked to outside connections on the built in firewall in Windows. You can control a lot of this using Group Policy to make things a little easier. You can also use a third party application that allows you to control process access as well. Either way there is certainly a need to keep this process protected from exploit. In the meantime we expect that Microsoft is working on a patch for this although we are not sure what they can really do to stop this without some fairly large changes. As Smith has put up examples of the attack on GitHub this one is sure to be in the wild very soon.

As always be safe out there.

Read 4560 times Last modified on Tuesday, 26 April 2016 10:26

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.