Vulnerability Management

Researcher: Flaw in Windows kernel hinders identification of potentially dangerous files


A researcher is warning that a programming error in the Microsoft Windows kernel might inhibit security software vendors and kernel developers from properly identifying modules loaded during runtime, including potentially malicious files. However, Microsoft does not view the issue as a security threat.

According to Omri Misgav, security researcher at enSilo, the bug affects all Windows operating systems from Windows 2000 to Windows 10. Specifically, the flaw pertains to a security mechanism called PsSetLoadImageNotifyRoutine, which provides notifications when PE image files are loaded in runtime to virtual memory space.

When such a notification is triggered, the Windows kernel is supposed to provide the parameter FullImageName to help identify the PE image. However, writes Misgav in an Aug. 5 blog post, "we noticed that while we do get the full path of the process executable file and constant values for system DLLs... for the rest of the dynamically loaded user-mode PEs the paths provided are missing the volume name."

Additionally, "What's more alarming is that not only does that path come without the volume name, sometimes the path is completely malformed, and could point to a different or non-existing file."

A Bleeping Computer article addressing the bug notes that certain security software programs use PsSetLoadImageNotifyRoutine to detect malicious activity, yet the bug potentially allows attackers to fool this mechanism, causing it to overlook malware files.

Asked for comment, a Microsoft spokesperson offered the following statement: “Our engineers reviewed the information and determined this does not pose a security threat and we do not plan to address it with a security update.”

Misgav has concluded that the invalid naming issue is the result of "caching behavior, along with the way the file-system driver maintains the file name, and a severe coding error." A more detailed technical analysis of the programming error is available in the blog post.
Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.