Flaw in Windows kernel hinders identification of potentially dangerous files

News by Bradley Barth

A programming error in the Microsoft Windows kernel might inhibit security software vendors and kernel developers from properly identifying modules loaded during runtime.

A researcher is warning that a programming error in the Microsoft Windows kernel might inhibit security software vendors and kernel developers from properly identifying modules loaded during runtime, including potentially malicious files. However, Microsoft does not view the issue as a security threat.

According to Omri Misgav, security researcher at enSilo, the bug affects all Windows operating systems from Windows 2000 to Windows 10. Specifically, the flaw pertains to a security mechanism called PsSetLoadImageNotifyRoutine, which provides notifications when PE image files are loaded in runtime to virtual memory space.

When such a notification is triggered, the Windows kernel is supposed to provide the parameter FullImageName to help identify the PE image. However, writes Misgav in an 5 August blog post, "we noticed that while we do get the full path of the process executable file and constant values for system DLLs... for the rest of the dynamically loaded user-mode PEs the paths provided are missing the volume name."

Additionally, "What's more alarming is that not only does that path come without the volume name, sometimes the path is completely malformed, and could point to a different or non-existing file."

A Bleeping Computer article addressing the bug notes that certain security software programs use PsSetLoadImageNotifyRoutine to detect malicious activity, yet the bug potentially allows attackers to fool this mechanism, causing it to overlook malware files.

Asked for comment, a Microsoft spokesperson offered the following statement: “Our engineers reviewed the information and determined this does not pose a security threat and we do not plan to address it with a security update.”

Misgav has concluded that the invalid naming issue is the result of "caching behaviour, along with the way the file-system driver maintains the file name, and a severe coding error." A more detailed technical analysis of the programming error is available in the blog post.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike