Microsoft vulnerability lets hackers bypass app whitelisting protections

A security researcher has found a way to bypass Microsoft's Applocker whitelisting feature.
A security researcher has found a way to bypass Microsoft's Applocker whitelisting feature.

A researcher has discovered a way for attackers to sneak remotely hosted, unauthorized applications—more specifically, COM (Component Object Model) objects—past Microsoft Windows' whitelisting security feature Applocker, by abusing the command-line utility Regsvr32.

Normally, Regsvr32 allows users to register Dynamic Link Library (DLL) files and ActiveX controls, but on his blog, Colorado-based researcher Casey Smith recently explained that hackers can place a malicious script block inside the registration tag, and then have Regsvr32 successfully execute the code. The trick works on the business editions of Windows 7 on up.

No administrator access is required to perform this workaround, and the process does not alter the system registry, making this vulnerability-based hack a difficult one to detect.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS