AtomBomb: The New Zero-Day Windows Exploit Microsoft Can't Fix?
There's a new zero-day Microsoft Windows exploit in the wild by the name of AtomBomb, and Microsoft may not be able to fix it.
Ensilo security researchers have discovered a new zero-day exploit in Windows that attackers can make use of to inject and execute malicious code. The researches call the exploit AtomBombing because of its use of a Windows function called Atom Tables.
What's particularly interesting about the exploit is that it does not rely on security vulnerabilities in Windows components but native Windows functions. This means, according to the researchers, that Microsoft won't be able to patch the issue.
It is particularly worrying that the issue affects all versions of Windows, and that security programs that run on the system -- firewall or antivirus for instance -- won't stop the execution of the exploit.
The technique works in the following way on an abstract level:
- Malicious code needs to be executed on a Windows machine. A user might run malicious code for instance.
- This code is blocked usually by antivirus software or other security software or policies.
- In the case of AtomBombing, the malicious program writes the malicious code in an atom table (which is a legitimate function of Windows and won't be stopped therefore).
- It then uses legitimate processes via APC (Async Procedure Calls) , a web browser for instance, to retrieve the code from the table undetected by security software to execute it.
You can find an extremely detailed explanation of AtomBombing here. Time to run Windows only in VMs?
New code injection attack works on all Windows versions - Help Net Security
Source: https://www.helpnetsecurity.com/2016/10/28/code-injection-windows-atombombing/
(Score: 2, Insightful) by Anonymous Coward on Sunday October 30 2016, @05:04PM
This is just a local way to get from one process to another, without even gaining privilege. It's no worse than having a debug capability.
(Score: 1, Informative) by Anonymous Coward on Sunday October 30 2016, @05:13PM
...and a quite convoluted way of doing this.
Normally you use CreateRemoteThread paired with WriteProcessMemory or VirtualAllocEx to write your code directly into another process.
(Score: 2) by Username on Sunday October 30 2016, @10:11PM
Well, it is an easy and interesting way to get chrome to run code. I didn’t know people actually used atom, or actually thought about using atom other than for setting windows global hotkeys.
(Score: 1, Funny) by Anonymous Coward on Sunday October 30 2016, @05:25PM
But...but... it's called ATOMbombing... it must be a big deal! Years of being subjected to marketing and advertising has taught me that marketeers never lie and only tell me things that are true and of interest to me. Why would they lie to me about this being a big deal? </sarcasm>
(Score: 5, Interesting) by Anonymous Coward on Sunday October 30 2016, @06:18PM
Don't you know debuggers are illegal?
(Score: 1, Informative) by Anonymous Coward on Sunday October 30 2016, @08:29PM
source?
(Score: 1, Informative) by Anonymous Coward on Sunday October 30 2016, @08:48PM
I think it is Stallman's "The Right to Read", certainly reads like Stallman's writing.
(Score: 0) by Anonymous Coward on Sunday October 30 2016, @10:06PM
Right to read [gnu.org]
Richard Stallman, February 1997 issue of Communications of the ACM (Volume 40, Number 2)
(Score: 3, Informative) by NCommander on Monday October 31 2016, @05:12AM
While I personally disagree with rms on many points, I do think the worlds he outlined in Right to Read and such are disturbingly plausible in many ways. I just wish the FSF would stop shooting itself in the foot in many ways; the GPLv3 as a license is a disaster.
(specifically, I don't mind the concepts desired in the GPLv3 itself, however, its very difficult to read even being versed in software licensing and an above average legal understanding. The FSF could have gotten exactly the same effect with much clearer language. A layman can read the GPLv2 and completely understand it, not true of the GPLv3. For patent clauses, compare Apache 2.0 to GPLv3 and tell me which one actually is understandable on the first go, Furthermore, getting around the TiVozation requirements within the GPLv3 is relatively straightforward; virtualization can easily allow you to comply with the GPLv3 while running around the intent of the license.).
Still always moving
(Score: 2, Disagree) by takyon on Sunday October 30 2016, @05:07PM
The rise of catastrophic and hyped exploits targeting hundreds of millions of smartphones, PCs, and servers is exactly what the industry needed. Planned obsolescence is now forced obsolescence. Can't patch it? Good! Throw that two year old Android phone and Windows 7 box in the trash and get new ones. The world is too addicted to computers to cast them aside. Windows 11 adoption trending upward.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 3, Insightful) by Ethanol-fueled on Sunday October 30 2016, @05:23PM
..from my cold, dead hands. Especially after corporations begin explicitly forcing obsolescence and making you "lease" your gadget under threat of disabling it.
And then there's the issue of both software and hardware "bugs" mandated or placed by government plants -- for example, Lenovo's beaconing. [freebeacon.com]
All of you old 386 hoarders will be vindicated.
(Score: 2, Informative) by Anonymous Coward on Sunday October 30 2016, @11:13PM
As a result of exactly this. The only exceptions (of which I am well aware of threats of) are Video cards, Hard Disks, and USB devices.
Basically everything else is still based off hardware designs from the early PCIe era, or revisions thereof.
The scary part to me is that NOBODY seems intent on servicing the niche of security conscious/authoritarian concerned citizens, of which there are certainly enough to fund at least hardware a generation or two old (performance-wise) that was made with open specs, unsigned (or user signed) firmware, etc. TPM/TXT/Management engines aren't in and of themselves a bad idea. The bad idea comes from permanently inserting an irreplacable signing key inside of them, and disallowing the end-user/owner of the hardware from disabling/replacing that key with their own to ensure the security of their system to THEIR level of confidence, not the vendor's.
(Score: 1, Insightful) by Anonymous Coward on Sunday October 30 2016, @05:23PM
Time to run Windows only in VMs?
How is this a solution if the Windows gets owned anyway. If you rely on that windows (which I assume you do since you go to the pain of running it - in a VM or not), you are now running an pwned windows regardless of it being in a VM or not.
This whole 'run it in a VM' is a non-answer because you still end up with a compromised environment.
(Score: 2, Informative) by Francis on Sunday October 30 2016, @05:35PM
It depends how you're running it. If you're only using a couple programs in there like I do, then there's not much damage they can do without breaking out of the VM. Most crackers aren't going to bother with that unless they're targeting me specifically. They'll get whatever they can out of the computer and if it doesn't give them much, they'll probably move on to the next computer.
(Score: 2) by Nerdfest on Sunday October 30 2016, @05:40PM
When I had a Windows VM, I generally reverted it back to a snapshot anyway, except for the times I ran it just to install updates. (As a side note, I'm amazed at how long it takes to install Windows updates, even without the repeated reboots that are sometimes required. Do they throttle their downloads to a trickle or something?)
(Score: 4, Interesting) by Anonymous Coward on Sunday October 30 2016, @05:49PM
Nope, they reparse a gigantic dependancy tree, spinlock, make repeated expensive calls to unchangeable metadata and do other anti-patterns.
(Score: 2) by Webweasel on Monday October 31 2016, @03:52PM
There was quite a serious bug a year or two ago with windows updates on some servers.
It would take around 7-8 hours to just load the list of updates, with one of the services (csrss.exe) pegged at 50% cpu.
At the time, I was not happy about staying up till 5am trying to patch servers, but the overtime bill made up for it.
Priyom.org Number stations, Russian Military radio. "You are a bad, bad man. Do you have any other virtues?"-Runaway1956
(Score: 0) by Anonymous Coward on Sunday October 30 2016, @05:40PM
But those programs are usually things you use for work (why else do people use windows? It's because there's a thing they need for work that doesn't run on Wine) which means their value as a target (to you, that is, if you lose it) is high. So it's not so much about what any attacker gets out of it, it's what you lose if you suddenly get ransomwared...
(Score: 1) by Francis on Sunday October 30 2016, @05:53PM
There's a small number of programs I run that depend upon hardware drivers that don't exist outside of Windows and OSX.
The DVD software I use to play my foreign language DVDs only exists on Windows, the scanners I use for scanning books and receipts only have drivers for OSX and Windows. And then there's some games, but those tend to either work with Wine or not at all, so I don't generally bother with those.
But, for most folks, I don't think that having a Windows VM is really that useful. If you're just wanting a bit of extra security, a Linux VM does that just as well.
(Score: 1, Redundant) by aristarchus on Sunday October 30 2016, @07:54PM
There are many things Francis does not know, but this:
The DVD software I use to play my foreign language DVDs only exists on Windows, the scanners I use for scanning books and receipts only have drivers for OSX and Windows.
is a major lacunae! Only on Windows? Ha! Scanners? Ha! What happened, did Francis take the Hairyfeet challenge and beg the question?
(Score: 2, Interesting) by Francis on Sunday October 30 2016, @08:55PM
OK, so now I know that the guy that's been trying to troll me is actually retarded.
You're laughing at me, but you're not actually addressing the point at all. The scanner I use is a batch feeding model that is IRS approved for storage of tax documents, so I can throw the originals away after I have them backed up. I'm not going to throw out the scanner because it doesn't work in Linux when I have a perfectly good Windows install in a VM.
And I haven't come across Linux software that gets around the hardware limitation on region coding.
Now, if you'd like to pay for me to replace my scanner and pay for somebody to handle my books for me, then go ahead, but you can go fuck yourself if you can't be bothered to give a reasonable alternative. My flatbed scanner works quite well under Linux and pretty much everything else, but it doesn't really deal well with OCR and isn't IRS approved.
(Score: 3, Informative) by Bot on Sunday October 30 2016, @09:20PM
DVD region coding? libdvdcss or something, decrypts DVDs. Of course it is illegal for anything else than reading your own DVD, and in some nazi places it is probably illegal for that, too.
Account abandoned.
(Score: 2, Troll) by Francis on Sunday October 30 2016, @09:29PM
IIRC, that one doesn't work. Or at least it didn't work for me last time I tried it. The optical drive is where that conversion takes place and it requires the drivers to cooperate and I couldn't get it to actually read the disc.
It might come down to which specific OS you're running it on, but I don't recall having had any luck with that in the past. The Windows only software is the only one I've found that worked for me.
(Score: 2) by dry on Monday October 31 2016, @02:20AM
I had a DVD drive that didn't work with libdvdcss, replaced it and no more worries about region coding.
(Score: 2) by Scruffy Beard 2 on Monday October 31 2016, @02:35AM
To be clear: were you playing back DVDs from more than one region?
DVD drives are supposed to brick themselves if you change the region too often.
(Score: 0) by Anonymous Coward on Monday October 31 2016, @03:38AM
Depends on the drive and firmware. There are two different levels of RPC. Level 1 understands codes and the copy protection and, in a bit of oversimplification, reports them to the OS to take care of. That means that you can ignore the regions at will with a proper driver in the OS. Level 2 enforces regions at a hardware level and usually, but not always, has a limit to the number of changes. However, a reflash can often reset the counter or downgrade a level 2 to level 1 or to "auto-reset" at a power cycle.
You can also get unlocked drives, or region killers or region faking, or other circumvention software and hardware to play anything. The cat is long out of the bag.
(Score: 1) by Francis on Monday October 31 2016, @03:57AM
Right, that's my personal problem. I like to watch DVDs in English, Mandarin and German and that typically requires something like 3 different drives because they don't generally sell German or Mandarin language DVDs in the US, so I usually have to import them as the discs aren't usually even available for sale in the US region.
Sometimes, you can get hacked firmware for the drive that ignores the region coding, but the region coding is relatively low level and requires interaction between the driver and the firmware to do. Linux apparently allows libdvdcss to do this and in my experience FreeBSD does not. Windows will, but you have to have special virtualization in order to do it.
(Score: 1) by Francis on Monday October 31 2016, @03:51AM
It works on Linux apparently, but not on FreeBSD. But, it doesn't make much sense to dual-boot to Linux versus just running Windows in a VM.
(Score: 2) by Scruffy Beard 2 on Monday October 31 2016, @02:32AM
After Dcss was realeased, region-coding was moved onto drive firmware [doom9.org] within a year.
It is cute that you think you own your computer!
(Score: 0, Disagree) by Anonymous Coward on Monday October 31 2016, @09:09AM
"How dare you pay for your foreign DVDs, go download them from The Pirate Bay, or we brick your DVD drive".
(Score: 3, Troll) by aristarchus on Sunday October 30 2016, @09:27PM
You are not going to know this, or even believe it, but there is standard software called SANE that runs scanners, fairly standardized, nothing like twenty years ago when it was all proprietary. And of course you realize, just mentioning the IRS has scam all over it. What model, precisely, is it that you can't get to work under linux? And what kernels and modules did you try to use? The fact you could not figure out DVD region encoding without windowes does not bode well, my dear unerudite Francis.
(Score: 1) by Francis on Sunday October 30 2016, @09:42PM
Sigh, more name calling and no actual useful information.
First off, I'm familiar with SANE, I've used it in the past and it works fine for basic flatbed functionality. It does not handle document feeders, OCR, organization and it does not result in a copy that's accepted by the IRS during audits. Plus, there are better options anyways. It's something that kind of works for simple things, but not if you've got more complicated things you want to do.
As far as DVD region encoding goes, why should I waste time looking for a solution when I have one that works? I have the software it works reliably on my computer, why on earth should I waste time looking for another solution that may or may not work when I've got one that does?
I'm a bit surprised that you're willing to post this bullshit under your name.
(Score: 2, Troll) by aristarchus on Sunday October 30 2016, @09:52PM
I'm a bit surprised that you're willing to post this bullshit under your name.
Feeling is mutual. Aren't you just the slightest bit embarrassed to admit such ignorance on a moderately techie site?
I have the software it works reliably on my computer, why on earth should I waste time looking for another solution that may or may not work when I've got one that does?
So, how much does Micro$erft pay you, or are you truely so unaware of what software is, how operating systems work, and how in the current instance, if you have read the Fine Article, Windows is totally hosed. Works reliably? Are we supposed to take this as a joke?
I was just trying to help liberate you from bondage, Francis, but you know, the first step is realizing you are enslaved. It is something you should know.
(Score: 0, Flamebait) by Francis on Monday October 31 2016, @04:03AM
No, you're being an asshole. People like you are why I use FreeBSD rather than Linux as my primary install. I just want a system that works reliably without the zealotry.
I did the research on this stuff at the time that I decided what software I was going to use and I don't see any reason why I should stop using what works for me. Nothing you've recommended does what my current set up does on my machine. I don't see any purpose in setting aside the stuff I bought back when I was dual-booting between Windows and FreeBSD just because I've got my Windows install loaded into a VM.
Nothing you've suggested is anywhere near as functional as what I'm currently using.
Also, I think it's cute that you think I care what you think of me. All you've done in this thread is make an ass of yourself.
(Score: 2, Informative) by aristarchus on Monday October 31 2016, @06:09AM
Nothing you've recommended does what my current set up does on my machine. I don't see any purpose in setting aside the stuff I bought back when I was dual-booting between Windows and FreeBSD just because I've got my Windows install loaded into a VM.
Nothing you've suggested is anywhere near as functional as what I'm currently using.
Francis, my poor Francis! You have admitted to running Windows because you did not know what else to do. I never suggested any solutions, since you did not provide enough details to see what your problem was, other than that you were running Windows. And it is funny how, when ever I try to assist you, as opposed to anyone else on SoylentNews, I get modded down. Hmm. Well, that is it. It is war, Francis! I will follow you, and every post you make I will mod down mercilessly! I will taunt you as an AC, and I will imitate your username on other fora accross the internet until you realize the errors of your ways and apologize for posting totally ignorant things here on SoylentNews. Deal?
(Score: 1, Informative) by Anonymous Coward on Monday October 31 2016, @02:46PM
It's not just Francis. I mod you down too, especially because of pointless dickwaving posts like this.
(Score: 3, Funny) by aristarchus on Monday October 31 2016, @04:16PM
Francis! Posting as AC and calling yourself "not just Francis" does not mean you are not just Francis! You're not fooling anyone, you know!
(Score: 0) by Anonymous Coward on Monday October 31 2016, @05:38PM
Just keep telling yourself that.
(Score: 0) by Anonymous Coward on Monday October 31 2016, @06:33PM
Aristarchus is right! You can't just hide behind AC, Francis! Maybe if you knew how scanner drivers and DVD drives worked, you might have a chance to pull it off, but this is just too obvious.
(Score: 0) by Anonymous Coward on Tuesday November 01 2016, @03:00AM
that's b/c you're a hooker.
(Score: 0) by Anonymous Coward on Tuesday November 01 2016, @09:07AM
that's b/c you're hooked.
FTFY! Trolling, trolling, over the deep blue sea! I just wonder, if you know it's me?
(Score: 3, Informative) by frojack on Sunday October 30 2016, @10:07PM
It does not handle document feeders, OCR, organization and it does not result in a copy that's accepted by the IRS during audits.
It does handle document feeders. (I use this all the time)
It does handle OCR, I use this also.
It does handle organizations, I don't use this a lot but I do use it occasionally
And it can result in a perfect PDF copy as well as the original images available if you want them.
The fact that nobody uses it that way for all those things is beside the point. Its also not the only scanner software available for linux.
But the driver availability is a valid point. Old, limited popularity, and out of production scanners will never get driver support. New scanners from large companies now tend to release drivers for opensource concurrently with Windows. Especially the network attached scanners.
And the IRS requirements are not particularly onerous. The IRS has allowed taxpayers to use electronic receipts as documentary evidence since 1997.
No, you are mistaken. I've always had this sig.
(Score: 2, Redundant) by aristarchus on Sunday October 30 2016, @10:17PM
Truly, this frojack knows a few things.
(Score: 1, Informative) by Anonymous Coward on Monday October 31 2016, @02:11AM
ISTM that Francis is working on decade-old datapoints.
Had he sought out local Linux people, I'll bet his "Nuh-uh"s would have already been turned to "Oh, wow"s.
In his area, perhaps there is a Linux Users Group. [google.com]
If not that, maybe an individual.
I've suggested before getting up with a Linux guy for hands-on help. [soylentnews.org]
the driver availability is a valid point. Old, limited popularity, and out of production scanners will never get driver support
If device drivers truly don't exist for his hardware, there are HUNDREDS of guys waiting in line to make more stuff Linux-compatible.
Why Linux Has The Best Hardware Support Of Any OS (The Linux Driver Project) [googleusercontent.com] (orig) [lwn.net]
(The significant text is found at "300".)
If the Linux Driver Project guys can get their hands on it, a piece of the gear should have Linux support in no time.
If the particular item isn't especially popular but the user can find a cluster of other folks who are interested in using it under Linux, that should help convince the LDP guys to support it.
Putting a bounty on the driver might be further stimulus.
...and, before anyone mentions games, we're still talking about being forced to use company-provided stuff in a work environment. Right?
-- OriginalOwner_ [soylentnews.org]
(Score: 0, Troll) by Francis on Monday October 31 2016, @04:06AM
I've tried opensource OCR and I've yet to find one that works well. Certainly not well enough for me to ditch my current system for.
IIRC, the best software I came across was Tesseract, but that didn't work very well for the things I was scanning. It's probably better now than then, but I don't see much point in dumping software and hardware I already have just to use open source. I've ditched most of the software I used to use for equivalents and that's worked fine, but as long as I can run the few remaining pieces of software in a VM, I don't see much purpose to ditching it for the sake of ditching it.
And even if I do ditch it, then I have to go back to retaining all my receipts and similar in order to do my taxes, which greatly reduces the point of using my neat receipts in the first place.
(Score: 0) by Anonymous Coward on Tuesday November 01 2016, @03:12AM
only traitors, cowards and idiots pay the federal income tax.
(Score: 2) by butthurt on Thursday November 03 2016, @02:45PM
>[...] using my neat receipts [...]
My Neat Receipts SCSA4601EU is the Plustek Opticslim M12 [...]
-- https://social.technet.microsoft.com/Forums/windows/en-US/d8a8ae0f-a709-4cbd-a40e-8fe8c1c519c8/neat-receipts?forum=w7itprohardware [microsoft.com]
Plustek OpticSlim M12 sheetfed scanner. Supported by the SANE gt68xx backend.
-- http://gkall.hobby.nl/gt6816-07b3-0412.html [hobby.nl]
You probably still need to copy the firmware manually.
-- https://bugs.launchpad.net/ubuntu/+source/sane-backends/+bug/312296 [launchpad.net]
This is from 2007 so it may be outdated:
Sheet-fed scanner. Use the firmware file that comes with your scanner. Other firmware files (including the one linked from this page) may not work. Calibration is not available, area selection is limited - positioning does currently not work.
-- http://www.meier-geinitz.de/sane/gt68xx-backend/ [meier-geinitz.de]
(Score: 2) by butthurt on Thursday November 03 2016, @02:50PM
I forgot to say, SANE is available on FreeBSD. So if you feel like trying it, you needn't make any drastic changes.
(Score: 3, Funny) by tangomargarine on Monday October 31 2016, @02:41PM
He's not retarded, it's just that 75% of his posts are trollish non-answers as demonstrated, role-playing an ancient Greek philosopher.
I don't really get it either.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2, Funny) by aristarchus on Monday October 31 2016, @04:29PM
That's OK, tango, you are not meant to get it. Some things may be beyond your comprehension. You should get used to it.
(Score: 4, Informative) by SomeGuy on Sunday October 30 2016, @05:36PM
That normally gets rolled back to a pre-compromised state when you are done using it.
(Score: 0) by Anonymous Coward on Sunday October 30 2016, @05:38PM
Show me someone who actually does this. Show me an actual real person who does this.
No-one I know does this because "I just bookmarked a page in stupid Edge and I don't want to lose it"
(Score: 0) by Anonymous Coward on Sunday October 30 2016, @06:52PM
I do it. My parents do it, too. Thanks to Patch Tuesday, it doesn't really matter what day you run you machine as most software gets patched on the same day. In fact, it is really easy to do nowadays due to bookmark and favorite sync services.
(Score: 2) by tangomargarine on Monday October 31 2016, @02:39PM
With Firefox it would be trivial to export your bookmarks to an HTML file, store it on a VM network drive, and read it back in after reverting in that situation.
"Because nobody takes security sufficiently seriously neither should you" is a rather odd argument to use.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 3, Insightful) by len_harms on Sunday October 30 2016, @06:51PM
VM becomes useful because of the idea of rollback and snapshots. Basically cleanup and restore is a snap.
However, if you are dependent on the data residing inside that VM like you point out VM does not do much for you.
Just depends on your use case.
(Score: 0) by Anonymous Coward on Sunday October 30 2016, @08:31PM
One thing you can do to mitigate that is to use a network operating system or the built-in software that lets you mount a local folder in the virtual machine.
(Score: 2) by archfeld on Sunday October 30 2016, @07:08PM
So as I read, 'the malicious program writes malicious code'... Where does the end user get the malicious program from ? Is it compromised when coming from the publisher, or does someone have to download something stupid from a compromised site ?
This seems another case of over hype, any computer is vulnerable if I can get access to the physical machine or console.
For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
(Score: 3, Informative) by frojack on Sunday October 30 2016, @08:33PM
So as I read, 'the malicious program writes malicious code'... Where does the end user get the malicious program from ? Is it compromised when coming from the publisher, or does someone have to download something stupid from a compromised site ?
True, even having a fist full of malicious code that you can't instantiate any other way, you still can't stuff it in an atom without some pre-existing atom stuffing code already on the target machine. And if you can sneak THAT onto the target, you could sneak an exploit far easier than using this routine. To that extent this story is hype.
The risk here is that someone will write and atom stuffer and plant it in some useful program (or java jar) and then sit back and exploit it weeks or months later.
Atoms are usually used by software to record that some other condition exists, so it can be tested later, by other processes.
One of the most common is for one instance of a program to set a flag to let another instance know that it has already been started, thereby preventing duplicate processes, or limiting concurrent connections, etc.
The problem is that Microsoft lets you store quite a bit of stuff in an atom and has no rules about cleanup, or usage. They were meant to be simple flags or a word or a few bytes of data.
Atom Basics [microsoft.com]
These (exist in one form or another) in EVERY Operating system, because they are a very useful tool. When you run into the need for one of these you quickly find out that nothing else will quite do the job you need done.
No, you are mistaken. I've always had this sig.
(Score: 1, Informative) by Anonymous Coward on Sunday October 30 2016, @11:54PM
You can't plant the atom in a different program or anything of the sort, as atoms are run-time structures (essentially, an interned string). It basically makes string comparisons (possibly across multiple processes) fast by converting it to a number.
In the described case, you can use it to pass data across processes by passing the number around instead of the actual data. But that means you already have code on the retrieving side, so it's only useful for covert data transfer (but you still need to be able to transfer an integer instead of the whole original string).
The "already started" case I've seen would instead hold a mutex [microsoft.com] instead, with an explicit name [microsoft.com]. Also a global runtime-only object, but one that goes away when your process exits (which means starting a new instance after your last instance quits will do the correct thing).
(Score: 0) by Anonymous Coward on Sunday October 30 2016, @08:38PM
It is total overhype. The "exploit" is basically "if I run an application it can make API calls". I bet this "exploit" was submitted to M$ who shot it down and the "researchers" got butthurt so they decided to spam about it everywhere.
(Score: 1, Funny) by Anonymous Coward on Sunday October 30 2016, @10:42PM
I should submit a research paper to window companies that if I throw a brick at a glass window it might break the window.
(Score: 4, Informative) by len_harms on Sunday October 30 2016, @07:41PM
https://msdn.microsoft.com/en-us/library/windows/desktop/ms649053(v=vs.85).aspx [microsoft.com]
https://msdn.microsoft.com/en-us/library/windows/desktop/ff468795(v=vs.85).aspx [microsoft.com]
Been awhile since I had messed with them so I had to go refresh myself on what they were. It is a leftover from DDE and windows 3.x. Not sure how much people use it anymore . There are much better interprocess calls to use.
Basically ATOMs are a storage of either strings (binary data) or integers for IPC. He is using the ATOM table to basically hold the exploit code. Much like using a file system. He is just using a little known about feature of windows to store data.
The supposition that MS and virus scanners can not scan the ATOM tables is silly. They control the API and the kernel has total control of the system. MS could easily add a 'get atom table' function with a call back into the viruscanner when someone calls add or just add a hook like all the other functions virus scanners keep an eye on. https://msdn.microsoft.com/en-us/library/windows/desktop/ms644990(v=vs.85).aspx [microsoft.com]
It is an interesting place to store data, that is for sure. I can think of 2 or 3 other places like that in windows you could squirrel away data. Even apple had a similar exploit recently they just fixed where data could be manipulated by a global structure.
(Score: 0) by Anonymous Coward on Sunday October 30 2016, @07:54PM
HIPS kernel drivers can just hook the API globally, Microsoft doesn't even need to offer this functionality because it's already present.
(Score: 0) by Anonymous Coward on Monday October 31 2016, @12:10AM
True. However I think MS tends to discourage that way as it is easy to create BSOD with it. As you are running at the kernel level and if you bug out you can take out the whole thing. It would be better to get MS to add to their existing API to hook it. https://msdn.microsoft.com/en-us/library/windows/hardware/dn613955(v=vs.85).aspx [microsoft.com]
(Score: 0) by Anonymous Coward on Monday October 31 2016, @02:08AM
Most Windows core server APIs have a LPSECURITY_ATTRIBUTES, which takes an optional security descriptor as an argument. The presence of this argument means that the kernel will check authorization when the call is made; if that fails, the error E_ACCESSDENIED is returned.
These researchers noticed that GlobalAddAtom is not checked for authorization, which makes sense because the global atom table is a "community" resource available to all apps on the system. They also noticed that QueueUserAPC (the other key part of their exploit) has this funky writeup in Microsoft's doc:
Describing something as being "not recommended", of course, is like putting a flimsy lock on a bike. It's an invitation for a break-in.
So could be that Microsoft's drive through the '90s to "making it easier" for developers to insert crazy hooks into the system, is once again coming back to bite them.