Microsoft Says No to Fixing a 17-Year-Old Programming Error in Windows Kernel That Could Dupe AV Programs
A flaw in the Windows kernel could stop antivirus programs from recognizing malware, but Microsoft believes it's not a security risk. Security researchers believe that this bug could allow hackers to perform malicious actions by tricking AV software that blindly rely on a particular Windows API.
Microsoft says no plans to fix this Windows kernel bug
Omri Misgav, a security researcher at enSilo, reported this flaw within the system call PsSetLoadImageNotifyRoutine, which has been part of Windows since 2000 and is still active. "During research into the Windows kernel, we came across an interesting issue with PsSetLoadImageNotifyRoutine which, as its name implies, notifies of module loading," he wrote in a blog post.
AV programs apparently use this routine to check if malicious code has been loaded in memory. However, Misgav reported that criminals can actually use this API to smuggle malware. "The thing is, after registering a notification routine for loaded PE images with the kernel, the callback may receive invalid image names," he added. "After digging into the matter, what started as a seemingly random issue proved to originate from a coding error in the Windows kernel itself."
Malware can use this API to trick the operating system into giving scanners other benign files instead of its own code, essentially enabling them to evade antivirus software. The flaw continues to exist even "in the most recent Windows 10 release" according to security researchers. Researchers added that it shouldn't be taken as a "vulnerability" but more as "a programming error in the Windows kernel" that could potentially prevent AV programs from identifying which modules have been loaded at runtime.
"Any security vendor that relies on the information supplied by this notification routine may be fooled into looking at the wrong module at load time," Misgav said. He also added that Microsoft's documentation doesn't make any mention of this.
When he tried to notify the Redmond software maker, Microsoft responded that it isn't concerned about the problem since it "did not deem it as a security issue". The company has also given a similar statement to the media with a Microsoft spokesperson saying "Our engineers reviewed the information and determined this does not pose a security threat and we do not plan to address it with a security update".
Misgav added in a second part of his report published today that this kernel flaw "seems like a coding error that has existed since Windows 2000 and affects all versions up to the most recent Windows 10 release". He has warned security vendors not to "rely on the faulty information supplied by this notification routine".