Windows security flaw lets hackers run any app on PCs, no admin rights necessary
If you think your network of Windows computers is safe from malware because you’ve set up Applocker to whitelist only trusted apps, we have some bad news.
A newly discovered security flaw allows users to get around this on business editions of Windows (Windows 7 and up) by using Regsvr32. You can point it to a remotely hosted file or script to run any app you want on your system.
That exposes PCs to the danger of running malicious software even if AppLocker is installed. And as it doesn’t require administrator access or alter the system registry, it’s hard to trace.
The vulnerability was discovered last week by Colorado-based Casey Smith, who blogged about his findings and published proof-of-concept scripts to demonstrate it on GitHub.
Microsoft[/url] is yet to issue a patch to fix this. [url=http://www.csoonline.com/article/3060242/security/researcher-uses-regsvr32-function-to-bypass-applocker.html]CSO notes that for the time being, you can disable Regsvr32.exe and Regsvr64.exe’s network awareness using Windows Firewall.
We’ve contacted Microsoft and will update this post when we hear back.
Bypass Application Whitelisting Script Protections - Regsvr32.exe & COM Scriptlets (.sct files) on subTeeRead on the original site