Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Sunday October 30 2016, @04:58PM   Printer-friendly
from the don't-run-unknown-code! dept.

AtomBomb: The New Zero-Day Windows Exploit Microsoft Can't Fix?

There's a new zero-day Microsoft Windows exploit in the wild by the name of AtomBomb, and Microsoft may not be able to fix it.

Ensilo security researchers have discovered a new zero-day exploit in Windows that attackers can make use of to inject and execute malicious code. The researches call the exploit AtomBombing because of its use of a Windows function called Atom Tables.

What's particularly interesting about the exploit is that it does not rely on security vulnerabilities in Windows components but native Windows functions. This means, according to the researchers, that Microsoft won't be able to patch the issue.

It is particularly worrying that the issue affects all versions of Windows, and that security programs that run on the system -- firewall or antivirus for instance -- won't stop the execution of the exploit.

The technique works in the following way on an abstract level:

  1. Malicious code needs to be executed on a Windows machine. A user might run malicious code for instance.
  2. This code is blocked usually by antivirus software or other security software or policies.
  3. In the case of AtomBombing, the malicious program writes the malicious code in an atom table (which is a legitimate function of Windows and won't be stopped therefore).
  4. It then uses legitimate processes via APC (Async Procedure Calls) , a web browser for instance, to retrieve the code from the table undetected by security software to execute it.

You can find an extremely detailed explanation of AtomBombing here. Time to run Windows only in VMs?

New code injection attack works on all Windows versions - Help Net Security

Source: https://www.helpnetsecurity.com/2016/10/28/code-injection-windows-atombombing/


Original Submission #1Original Submission #2

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Disagree) by takyon on Sunday October 30 2016, @05:07PM

    by takyon (881) <reversethis-{gro ... s} {ta} {noykat}> on Sunday October 30 2016, @05:07PM (#420558) Journal

    The rise of catastrophic and hyped exploits targeting hundreds of millions of smartphones, PCs, and servers is exactly what the industry needed. Planned obsolescence is now forced obsolescence. Can't patch it? Good! Throw that two year old Android phone and Windows 7 box in the trash and get new ones. The world is too addicted to computers to cast them aside. Windows 11 adoption trending upward.

    --
    [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
    Starting Score:    1  point
    Moderation   0  
       Disagree=1, Total=1
    Extra 'Disagree' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 3, Insightful) by Ethanol-fueled on Sunday October 30 2016, @05:23PM

    by Ethanol-fueled (2792) on Sunday October 30 2016, @05:23PM (#420566) Homepage

    ..from my cold, dead hands. Especially after corporations begin explicitly forcing obsolescence and making you "lease" your gadget under threat of disabling it.

    And then there's the issue of both software and hardware "bugs" mandated or placed by government plants -- for example, Lenovo's beaconing. [freebeacon.com]

    All of you old 386 hoarders will be vindicated.

    • (Score: 2, Informative) by Anonymous Coward on Sunday October 30 2016, @11:13PM

      by Anonymous Coward on Sunday October 30 2016, @11:13PM (#420697)

      As a result of exactly this. The only exceptions (of which I am well aware of threats of) are Video cards, Hard Disks, and USB devices.

      Basically everything else is still based off hardware designs from the early PCIe era, or revisions thereof.

      The scary part to me is that NOBODY seems intent on servicing the niche of security conscious/authoritarian concerned citizens, of which there are certainly enough to fund at least hardware a generation or two old (performance-wise) that was made with open specs, unsigned (or user signed) firmware, etc. TPM/TXT/Management engines aren't in and of themselves a bad idea. The bad idea comes from permanently inserting an irreplacable signing key inside of them, and disallowing the end-user/owner of the hardware from disabling/replacing that key with their own to ensure the security of their system to THEIR level of confidence, not the vendor's.