Stories
Slash Boxes
Comments

SoylentNews is people

AtomBomb: The New Zero-Day Windows Exploit Microsoft Can't Fix?

posted by janrinok on Sunday October 30 2016, @04:58PM   Printer-friendly
from the don't-run-unknown-code! dept.

AtomBomb: The New Zero-Day Windows Exploit Microsoft Can't Fix?

Celestial writes:

There's a new zero-day Microsoft Windows exploit in the wild by the name of AtomBomb, and Microsoft may not be able to fix it.

Ensilo security researchers have discovered a new zero-day exploit in Windows that attackers can make use of to inject and execute malicious code. The researches call the exploit AtomBombing because of its use of a Windows function called Atom Tables.

What's particularly interesting about the exploit is that it does not rely on security vulnerabilities in Windows components but native Windows functions. This means, according to the researchers, that Microsoft won't be able to patch the issue.

It is particularly worrying that the issue affects all versions of Windows, and that security programs that run on the system -- firewall or antivirus for instance -- won't stop the execution of the exploit.

The technique works in the following way on an abstract level:

  1. Malicious code needs to be executed on a Windows machine. A user might run malicious code for instance.
  2. This code is blocked usually by antivirus software or other security software or policies.
  3. In the case of AtomBombing, the malicious program writes the malicious code in an atom table (which is a legitimate function of Windows and won't be stopped therefore).
  4. It then uses legitimate processes via APC (Async Procedure Calls) , a web browser for instance, to retrieve the code from the table undetected by security software to execute it.

You can find an extremely detailed explanation of AtomBombing here. Time to run Windows only in VMs?

New code injection attack works on all Windows versions - Help Net Security

MrPlow also submits a story on the same topic via IRC for TheMightyBuzzard:

Source: https://www.helpnetsecurity.com/2016/10/28/code-injection-windows-atombombing/

Original Submission #1Original Submission #2

 
This discussion has been archived. No new comments can be posted.
AtomBomb: The New Zero-Day Windows Exploit Microsoft Can't Fix? | Log In/Create an Account | Top | 65 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2, Troll) by Francis on Sunday October 30 2016, @09:29PM

    by Francis (5544) on Sunday October 30 2016, @09:29PM (#420653)

    IIRC, that one doesn't work. Or at least it didn't work for me last time I tried it. The optical drive is where that conversion takes place and it requires the drivers to cooperate and I couldn't get it to actually read the disc.

    It might come down to which specific OS you're running it on, but I don't recall having had any luck with that in the past. The Windows only software is the only one I've found that worked for me.

    Starting Score:    1  point
    Moderation   +1  
       Troll=1, Underrated=2, Total=3
    Extra 'Troll' Modifier   0  
    Total Score:   2  

  • (Score: 2) by dry on Monday October 31 2016, @02:20AM

    by dry (223) on Monday October 31 2016, @02:20AM (#420741) Journal

    I had a DVD drive that didn't work with libdvdcss, replaced it and no more worries about region coding.

    • (Score: 2) by Scruffy Beard 2 on Monday October 31 2016, @02:35AM

      by Scruffy Beard 2 (6030) on Monday October 31 2016, @02:35AM (#420747)

      To be clear: were you playing back DVDs from more than one region?

      DVD drives are supposed to brick themselves if you change the region too often.

      • (Score: 0) by Anonymous Coward on Monday October 31 2016, @03:38AM

        by Anonymous Coward on Monday October 31 2016, @03:38AM (#420761)

        Depends on the drive and firmware. There are two different levels of RPC. Level 1 understands codes and the copy protection and, in a bit of oversimplification, reports them to the OS to take care of. That means that you can ignore the regions at will with a proper driver in the OS. Level 2 enforces regions at a hardware level and usually, but not always, has a limit to the number of changes. However, a reflash can often reset the counter or downgrade a level 2 to level 1 or to "auto-reset" at a power cycle.

        You can also get unlocked drives, or region killers or region faking, or other circumvention software and hardware to play anything. The cat is long out of the bag.

      • (Score: 1) by Francis on Monday October 31 2016, @03:57AM

        by Francis (5544) on Monday October 31 2016, @03:57AM (#420768)

        Right, that's my personal problem. I like to watch DVDs in English, Mandarin and German and that typically requires something like 3 different drives because they don't generally sell German or Mandarin language DVDs in the US, so I usually have to import them as the discs aren't usually even available for sale in the US region.

        Sometimes, you can get hacked firmware for the drive that ignores the region coding, but the region coding is relatively low level and requires interaction between the driver and the firmware to do. Linux apparently allows libdvdcss to do this and in my experience FreeBSD does not. Windows will, but you have to have special virtualization in order to do it.

    • (Score: 1) by Francis on Monday October 31 2016, @03:51AM

      by Francis (5544) on Monday October 31 2016, @03:51AM (#420765)

      It works on Linux apparently, but not on FreeBSD. But, it doesn't make much sense to dual-boot to Linux versus just running Windows in a VM.