Windows Kernel Vulnerability Prevents Malware Identification

Security researchers have a difficult time keeping up with the growing number of malware types in circulation, with no slowdown in sight. One particular bug found by enSilo security researcher Omri Misgav in the Windows kernel only makes their job even harder.

Windows Prevents Malware Identification in a way

It is always interesting to see how operating systems respond to security vulnerabilities. In most cases, the Windows operating does not seem to handle these issues all that well. The vast majority of exploits are written for Windows and that situation will not be changing anytime soon. However, it seems the popular operating system is vulnerable to a disturbingly different problem.

Security researcher Omri Misgav came across an interesting and disturbing fact about the Windows kernel. There is a programming error in the kernel which can effectively prevent security software from successfully identifying malware attacks. This pertains to both the if and when of loading malicious software modules. If your computer cannot recognize the threat, it will think everything is working just as advertised. However, that is not necessarily the case whatsoever.

If an assailant were to exploit this bug in the Windows kernel, he or she could disguise malware as a legitimate system operation. This would explain why some recent malware threats have proven so difficult to address, as the Windows operating system will not even report them as problems in the first place. The bug affects the PsSetLoadImageNotifyRoutine, which is a mechanism used by some security software vendors to identify when a potentially malicious code has been introduced in the system. If that protocol is not operating at full capacity, there is no way to identify malware attacks.

Amazingly, this bug was reported to Microsoft some time ago. Unfortunately, it is still present to this very day, as even the most recent Windows 10 releases remain vulnerable to the exploit of this kernel flaw. Microsoft still has a lot of work to do to fix this. PsSetLoadImageNotifyRoutine was introduced as a way to inform app developers of newly registered devices. Unfortunately, it has now become a tool for criminals to exploit.

Given the fact that quite a few security software solutions rely on this particular part of the kernel, a big problem ensues. It is doubtful software vendors will adjust their methods of detecting malware anytime soon, though. It is up to Microsoft to address this issue in all of its Windows versions available to date. When that will happen remains to be seen. According to Misgav, Microsoft does not see this kernel flaw as a security issue, which is rather surprising. The company will continue monitoring this situation, however.

For the time being, it is unclear if any criminals are using this kernel flaw to mask their malware activity. So far, that is hard to gauge given the recent influx of malware threats in general. It takes a bit of work to take full advantage of this flaw, although it may become slightly more prevalent in the coming months. We can only hope Microsoft decides to address this issue sooner rather than later.