Windows kernel has an old bug that can allow malicious actions on your computer and the Microsoft refuses to consider it a threat despite the warnings of various researchers.
How does this bug work?
Back with Windows 2000 a low-level interface known as PsSetLoadImageNotifyRoutine was introduced. It was supposed to inform drives when a module is loaded into a process. This allowed drivers that were powering security products to track modules.
However, it was discovered that it does not always provide correct results, allowing hackers to use the name of a loaded module. This way, security products wouldn’t scan the file and malicious actions could affect your computer.
This bug appears to be a programming error and it should be quickly fixed since it can be used to easily trick third-party security products such as antimalware.
Security researchers discovered this bug
Many researchers noticed this problem, especially because it affects all versions of Windows. According to Omei Misgav, a security researcher at enSilo, “Any security vendor that relies on the information supplied by this notification routine may be fooled into looking at the wrong module at load time ” He also added that any attacker is able to reproduce this bug easily. Once these operations are performed the notification routine will receive an incorrect path,” he said.
Omei Misgav wrote a blog post about this bug where he also added that enSilk did not test a specific security product.
Microsoft does not consider it a threat
A Microsoft spokesperson declared that “Our engineers reviewed the information and determined this does not pose a security threat and we do not plan to address it with a security update.” It can be hard to understand why a tech giant like Microsoft would allow a 17 years old bug that could harm the users’ safety. “