AtomBombing: Zero-Day Windows Exploit

Just in case you didn’t have enough security issues to worry about already …

Ensilo security researchers have discovered a new zero-day exploit in Windows that attackers can make use of to inject and execute malicious code. The researches call the exploit AtomBombing because of its use of a Windows function called Atom Tables. What’s particularly interesting about the exploit is that it does not rely on security vulnerabilities in Windows components but native Windows functions.

This means, according to the researchers, that Microsoft won’t be able to patch the issue.

Unfortunately, this issue cannot be patched since it doesn’t rely on broken or flawed code – rather on how these operating system mechanisms are designed.

It is particularly worrying that the issue affects all versions of Windows, and that security programs that run on the system — firewall or antivirus for instance — won’t stop the execution of the exploit.

The technique works in the following way on an abstract level:

  1. Malicious code needs to be executed on a Windows machine. A user might run malicious code for instance.
  2. This code is blocked usually by antivirus software or other security software or policies.
  3. In the case of AtomBombing, the malicious program writes the malicious code in an atom table (which is a legitimate function of Windows and won’t be stopped therefore).
  4. It then uses legitimate processes via APC (Async Procedure Calls) , a web browser for instance, to retrieve the code from the table undetected by security software to execute it.

What we found is that a threat actor can write malicious code into an atom table and force a legitimate program to retrieve the malicious code from the table. We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code.

The researchers have released a — very technical — explanation of how AtomBombing works. If you are interested in the details, I suggest you check it out as it may answer all the questions that you may have.

ZDnet had a chance to talk to Tal Liberman, security research team leader at Ensilo, who mentioned that executing malicious code on a Windows machine was but one of the many ways attackers could use AtomBombing.

Attackers could use the technique to take screenshots, extract sensitive information and even encrypted passwords.

Accord to the research, Google Chrome encrypts stored passwords using the Windows Data Protection API. Any attack that is injected into a process that runs in the context of the active user could gain access to the data in plain text.

Ensilio believes that Microsoft cannot patch the AtomBombing exploit. Microsoft has yet to respond to the revelation.

Link to Original Content

Tags: , , ,

Comments are closed.