Ensilo security researchers have discovered a new zero-day exploit in Windows that attackers can make use of to inject and execute malicious code.
The researches call the exploit AtomBombing because of its use of a Windows function called Atom Tables.
What's particularly interesting about the exploit is that it does not rely on security vulnerabilities in Windows components but native Windows functions.
This means, according to the researchers, that Microsoft won't be able to patch the issue.
Unfortunately, this issue cannot be patched since it doesn’t rely on broken or flawed code – rather on how these operating system mechanisms are designed.
It is particularly worrying that the issue affects all versions of Windows, and that security programs that run on the system -- firewall or antivirus for instance -- won't stop the execution of the exploit.
The technique works in the following way on an abstract level:
What we found is that a threat actor can write malicious code into an atom table and force a legitimate program to retrieve the malicious code from the table. We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code.
The researchers have released a -- very technical -- explanation of how AtomBombing works. If you are interested in the details, I suggest you check it out as it may answer all the questions that you may have.
ZDnet had a chance to talk to Tal Liberman, security research team leader at Ensilo, who mentioned that executing malicious code on a Windows machine was but one of the many ways attackers could use AtomBombing.
Attackers could use the technique to take screenshots, extract sensitive information and even encrypted passwords.
Accord to the research, Google Chrome encrypts stored passwords using the Windows Data Protection API. Any attack that is injected into a process that runs in the context of the active user could gain access to the data in plain text.
Ensilio believes that Microsoft cannot patch the AtomBombing exploit. Microsoft has yet to respond to the revelation.
Now You: What's your take on AtomBombing?
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.