A design flaw within the Windows kernel is the root cause for antivirus stopping from recognizing malware, and the bad news is that Microsoft won’t fix it because the tech giant doesn’t consider it as a security issue.
The vulnerability was discovered a few days ago by the security researcher Omri Misgav from enSilo , it affects the system call PsSetLoadImageNotifyRoutine that is still active in the latest builds of Microsoft OSs.
“During research into the Windows kernel, we came across an interesting issue with PsSetLoadImageNotifyRoutine which as its name implies, notifies of module loading.” Misgav wrote in a blog post.
PsSetLoadImageNotifyRoutine is used also by antivirus to check the presence of malware in memory, but the issue could be tricked to deceive the defense solutions.
“The thing is, after registering a notification routine for loaded PE images with the kernel, the callback may receive invalid image names. After digging into the matter, what started as a seemingly random issue proved to originate from a coding error in the Windows kernel itself.” continues the analysis.
The mechanism notifies registered drivers when a PE image file has been loaded into virtual memory (kernel\user space).
The notification routine could be invoked in the following cases:
The flaw could be exploited by malware to provide antivirus benign executables to inspect rather than their malicious code.executables to inspect rather than their malicious code.executables to inspect rather than their malicious code.
enSilo reported the issue to Microsoft and this is their reply:
“Our engineers reviewed the information and determined this does not pose a security threat and we do not plan to address it with a security update.”
(Security Affairs – Microsoft, hacking)
adrotate banner=”12″]adrotate banner=”12″]
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.