Microsoft has a bug in its PsSetLoadImageNotifyRoutine
THERE IS A BUG IN THE Windows kernel that makes any additional security tools useless because it can be used to block the detection of malware threats.
Bloody hell. Just when you thought malware and insecurity was bad enough, along comes something like this. According to a write-up on security blog Breaking Malware, the bug in the system is a coding error that affects the PsSetLoadImageNotifyRoutine, which should keep an eye on what modules are loading.
“During research into the Windows kernel, we came across an interesting issue with PsSetLoadImageNotifyRoutine which as its name implies, notifies of module loading,” explains the security firm enSilo on its blog.
“The thing is, after registering a notification routine for loaded PE images with the kernel the callback may receive invalid image names.
“After digging into the matter, what started as a seemingly random issue proved to originate from a coding error in the Windows kernel itself. This flaw exists in the most recent Windows 10 release and past versions of the OS, dating back to Windows 2000.”
It is a shame for Microsoft really, as it defeats the purpose of the PsSetLoadImageNotifyRoutine, which is designed to spot malware threats as they make their way through Windows. It is also rather ironic. Bleeping Computer has spoken to one of the security researchers, Omri Misgav, who said that Microsoft did not see the issue as a security problem.
“We did not test any specific security software,” Misgav told Bleeping Computer. “We are aware that some vendors do use this mechanism, however at this point in time we cannot say if and how the use of the faulty [PsSetLoadImageNotifyRoutine] information affects them.”
“We [also] contacted MSRC [Microsoft Security Response Center] about this issue at the beginning of this year. They did not deem it as a security issue.” µ