An issue in the business versions of Microsoft Windows has been discovered which allows a hacker to dodge around AppLocker white-listing protection and successfully run a malicious app on a target machine.
The flaw in the enterprise versions of Windows 7 through to Windows 10 was discovered by security researcher Casey Smith, and is truly worrying because it doesn’t require admin access to leverage, and neither does it leave any signs in the Registry.
The exploit involves using Regsvr32 and pointing it to a remotely hosted file at a location the hacker controls, thus allowing the running of any app including malicious applications with no worries about AppLocker protecting the intended victim.
Smith noted: “In order to further prove this out, I wrote a PowerShell server to handle execution and return output.” He has put his proof of concept up on Github.
No patch yet
Obviously this is a very worrying prospect for businesses out there, particularly with the exploit becoming more widely known now it’s being reported on. There’s no patch for the problem as yet, but you would hope Redmond is prioritising this one.
As Engadget notes though, to be safe, you can always get your firewall to block Regsvr32, although obviously that’s not an ideal solution.
Of late, Microsoft has been making a big deal of how secure Windows 10 is, but of course this flaw still affects the latest enterprise version of the OS. Earlier this month, Redmond even announced its intention to soon make it compulsory for the manufacturers of Windows 10 PCs, tablets and smartphones to include TPM 2.0 (Trusted Platform Module) in their devices for much improved security.