Ensilo security researchers have discovered a new zero-day exploit in Windows that attackers can make use of to inject and execute malicious code.
The researches call the exploit AtomBombing because of its use of a Windows function called Atom Tables.
What's particularly interesting about the exploit is that it does not rely on security vulnerabilities in Windows components but native Windows functions.
This means, according to the researchers, that Microsoft won't be able to patch the issue.
Unfortunately, this issue cannot be patched since it doesn’t rely on broken or flawed code – rather on how these operating system mechanisms are designed.
It is particularly worrying that the issue affects all versions of Windows, and that security programs that run on the system -- firewall or antivirus for instance -- won't stop the execution of the exploit.
The technique works in the following way on an abstract level:
What we found is that a threat actor can write malicious code into an atom table and force a legitimate program to retrieve the malicious code from the table. We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code.
The researchers have released a -- very technical -- explanation of how AtomBombing works. If you are interested in the details, I suggest you check it out as it may answer all the questions that you may have.
ZDnet had a chance to talk to Tal Liberman, security research team leader at Ensilo, who mentioned that executing malicious code on a Windows machine was but one of the many ways attackers could use AtomBombing.
Attackers could use the technique to take screenshots, extract sensitive information and even encrypted passwords.
Accord to the research, Google Chrome encrypts stored passwords using the Windows Data Protection API. Any attack that is injected into a process that runs in the context of the active user could gain access to the data in plain text.
Ensilio believes that Microsoft cannot patch the AtomBombing exploit. Microsoft has yet to respond to the revelation.
Now You: What's your take on AtomBombing?Advertisement
If you like our content, and would like to help, please consider making a contribution: