SoylentNews

AtomBomb: The New Zero-Day Windows Exploit Microsoft Can't Fix?

posted by janrinok on Sunday October 30 2016, @04:58PM   
from the don't-run-unknown-code! dept.

AtomBomb: The New Zero-Day Windows Exploit Microsoft Can't Fix?

Celestial writes:

There's a new zero-day Microsoft Windows exploit in the wild by the name of AtomBomb, and Microsoft may not be able to fix it.

Ensilo security researchers have discovered a new zero-day exploit in Windows that attackers can make use of to inject and execute malicious code. The researches call the exploit AtomBombing because of its use of a Windows function called Atom Tables.

What's particularly interesting about the exploit is that it does not rely on security vulnerabilities in Windows components but native Windows functions. This means, according to the researchers, that Microsoft won't be able to patch the issue.

It is particularly worrying that the issue affects all versions of Windows, and that security programs that run on the system -- firewall or antivirus for instance -- won't stop the execution of the exploit.

The technique works in the following way on an abstract level:

1. Malicious code needs to be executed on a Windows machine. A user might run malicious code for instance.
2. This code is blocked usually by antivirus software or other security software or policies.
3. In the case of AtomBombing, the malicious program writes the malicious code in an atom table (which is a legitimate function of Windows and won't be stopped therefore).
4. It then uses legitimate processes via APC (Async Procedure Calls) , a web browser for instance, to retrieve the code from the table undetected by security software to execute it.

You can find an extremely detailed explanation of AtomBombing here. Time to run Windows only in VMs?

New code injection attack works on all Windows versions - Help Net Security

MrPlow also submits a story on the same topic via IRC for TheMightyBuzzard:

Source: https://www.helpnetsecurity.com/2016/10/28/code-injection-windows-atombombing/

---

Original Submission #1  Original Submission #2 

• Re:VMs Re:VMs (Score: 3, Informative) by frojack on Sunday October 30 2016, @10:07PM

  by frojack (1554) on Sunday October 30 2016, @10:07PM (#420667) Journal

  It does not handle document feeders, OCR, organization and it does not result in a copy that's accepted by the IRS during audits.

  It does handle document feeders. (I use this all the time)
  It does handle OCR, I use this also.
  It does handle organizations, I don't use this a lot but I do use it occasionally
  And it can result in a perfect PDF copy as well as the original images available if you want them.

  The fact that nobody uses it that way for all those things is beside the point. Its also not the only scanner software available for linux.

  But the driver availability is a valid point. Old, limited popularity, and out of production scanners will never get driver support. New scanners from large companies now tend to release drivers for opensource concurrently with Windows. Especially the network attached scanners.

  And the IRS requirements are not particularly onerous. The IRS has allowed taxpayers to use electronic receipts as documentary evidence since 1997.

  --
  No, you are mistaken. I've always had this sig.

  Parent

  Starting Score:	1		point
  Moderation		+1
  Informative=1, Total=1
  Extra 'Informative' Modifier		0
  Karma-Bonus Modifier		+1
  Total Score:		3

• Re:VMs (Score: 2, Redundant) by aristarchus on Sunday October 30 2016, @10:17PM

  by aristarchus (2645) on Sunday October 30 2016, @10:17PM (#420672) Journal

  Truly, this frojack knows a few things.

  Parent

• Francis should get over his tech isolation (Score: 1, Informative) by Anonymous Coward on Monday October 31 2016, @02:11AM

  by Anonymous Coward on Monday October 31 2016, @02:11AM (#420739)

  ISTM that Francis is working on decade-old datapoints.

  Had he sought out local Linux people, I'll bet his "Nuh-uh"s would have already been turned to "Oh, wow"s.

  In his area, perhaps there is a Linux Users Group. [google.com]

  If not that, maybe an individual.
  I've suggested before getting up with a Linux guy for hands-on help. [soylentnews.org]

  the driver availability is a valid point. Old, limited popularity, and out of production scanners will never get driver support

  If device drivers truly don't exist for his hardware, there are HUNDREDS of guys waiting in line to make more stuff Linux-compatible.
  Why Linux Has The Best Hardware Support Of Any OS (The Linux Driver Project) [googleusercontent.com] (orig) [lwn.net]
  (The significant text is found at "300".)

  If the Linux Driver Project guys can get their hands on it, a piece of the gear should have Linux support in no time.
  If the particular item isn't especially popular but the user can find a cluster of other folks who are interested in using it under Linux, that should help convince the LDP guys to support it.
  Putting a bounty on the driver might be further stimulus.

  ...and, before anyone mentions games, we're still talking about being forced to use company-provided stuff in a work environment. Right?

  -- OriginalOwner_ [soylentnews.org]

  Parent

• Re:VMs Re:VMs (Score: 0, Troll) by Francis on Monday October 31 2016, @04:06AM

  by Francis (5544) on Monday October 31 2016, @04:06AM (#420772)

  I've tried opensource OCR and I've yet to find one that works well. Certainly not well enough for me to ditch my current system for.

  IIRC, the best software I came across was Tesseract, but that didn't work very well for the things I was scanning. It's probably better now than then, but I don't see much point in dumping software and hardware I already have just to use open source. I've ditched most of the software I used to use for equivalents and that's worked fine, but as long as I can run the few remaining pieces of software in a VM, I don't see much purpose to ditching it for the sake of ditching it.

  And even if I do ditch it, then I have to go back to retaining all my receipts and similar in order to do my taxes, which greatly reduces the point of using my neat receipts in the first place.

  Parent

  • Re:VMs (Score: 0) by Anonymous Coward on Tuesday November 01 2016, @03:12AM

    by Anonymous Coward on Tuesday November 01 2016, @03:12AM (#421111)

    only traitors, cowards and idiots pay the federal income tax.

    Parent

  • Re:VMs Re:VMs (Score: 2) by butthurt on Thursday November 03 2016, @02:45PM

    by butthurt (6141) on Thursday November 03 2016, @02:45PM (#422053) Journal

    >[...] using my neat receipts [...]

    My Neat Receipts SCSA4601EU is the Plustek Opticslim M12 [...]

    -- https://social.technet.microsoft.com/Forums/windows/en-US/d8a8ae0f-a709-4cbd-a40e-8fe8c1c519c8/neat-receipts?forum=w7itprohardware [microsoft.com]

    Plustek OpticSlim M12 sheetfed scanner. Supported by the SANE gt68xx backend.

    -- http://gkall.hobby.nl/gt6816-07b3-0412.html [hobby.nl]

    You probably still need to copy the firmware manually.

    -- https://bugs.launchpad.net/ubuntu/+source/sane-backends/+bug/312296 [launchpad.net]

    This is from 2007 so it may be outdated:

    Sheet-fed scanner. Use the firmware file that comes with your scanner. Other firmware files (including the one linked from this page) may not work. Calibration is not available, area selection is limited - positioning does currently not work.

    -- http://www.meier-geinitz.de/sane/gt68xx-backend/ [meier-geinitz.de]

    Parent

    • Re:VMs (Score: 2) by butthurt on Thursday November 03 2016, @02:50PM

      by butthurt (6141) on Thursday November 03 2016, @02:50PM (#422057) Journal

      I forgot to say, SANE is available on FreeBSD. So if you feel like trying it, you needn't make any drastic changes.

      Parent