There's a new zero-day Microsoft Windows exploit in the wild by the name of AtomBomb, and Microsoft may not be able to fix it.
Ensilo security researchers have discovered a new zero-day exploit in Windows that attackers can make use of to inject and execute malicious code. The researches call the exploit AtomBombing because of its use of a Windows function called Atom Tables.
What's particularly interesting about the exploit is that it does not rely on security vulnerabilities in Windows components but native Windows functions. This means, according to the researchers, that Microsoft won't be able to patch the issue.
It is particularly worrying that the issue affects all versions of Windows, and that security programs that run on the system -- firewall or antivirus for instance -- won't stop the execution of the exploit.
The technique works in the following way on an abstract level:
- Malicious code needs to be executed on a Windows machine. A user might run malicious code for instance.
- This code is blocked usually by antivirus software or other security software or policies.
- In the case of AtomBombing, the malicious program writes the malicious code in an atom table (which is a legitimate function of Windows and won't be stopped therefore).
- It then uses legitimate processes via APC (Async Procedure Calls) , a web browser for instance, to retrieve the code from the table undetected by security software to execute it.
You can find an extremely detailed explanation of AtomBombing here. Time to run Windows only in VMs?
Source: https://www.helpnetsecurity.com/2016/10/28/code-injection-windows-atombombing/
(Score: 1, Informative) by Anonymous Coward on Sunday October 30 2016, @11:54PM
You can't plant the atom in a different program or anything of the sort, as atoms are run-time structures (essentially, an interned string). It basically makes string comparisons (possibly across multiple processes) fast by converting it to a number.
In the described case, you can use it to pass data across processes by passing the number around instead of the actual data. But that means you already have code on the retrieving side, so it's only useful for covert data transfer (but you still need to be able to transfer an integer instead of the whole original string).
The "already started" case I've seen would instead hold a mutex [microsoft.com] instead, with an explicit name [microsoft.com]. Also a global runtime-only object, but one that goes away when your process exits (which means starting a new instance after your last instance quits will do the correct thing).