AtomBombing Zero-Day exploit: Ensilo's security researchers have discovered a new zero-day exploit in Windows that attackers can use to inject and run malicious code.
The researchers named the exploit AtomBombing after the Windows feature it exploits called Atom Tables.
What is particularly interesting about this zero-day exploit is that it does not use any vulnerabilities points in Windows security, but in native Windows functions.
This means, according to the researchers, that Microsoft will not be able to fix the problem.
"Unfortunately, this issue cannot be fixed, as it is not based on any corrupt or defective code, but on how the system mechanisms are designed to work.
Of particular concern is the fact that the issue affects all versions of Windows, and that security programs running the system - firewall or antivirus for example - will not be able to stop exploit.
How the technique works:
Any malicious code, of course, must first be executed to offend a system.
This code is usually blocked by virus protection software or some operating security policies.
In the case of AtomBombing, the malicious program writes the malicious code to an Atom table (which is a legitimate function of Windows and cannot be stopped by any security policy or antivirus).
He then uses legitimate procedures through the Async Procedure Calls (APC), a web browser for example, to retrieve passwords from the table without locating any security software.
"What we've found is that a malicious user can write malicious code on an Atom table and force a legitimate program to get the malicious code out of that table. We also found that the legitimate program, which contains the malicious code, can be managed to execute the code. ”
Investigators have released a PoC which explains how AtomBombing works. If you are interested in details, you can check it, as it can answer all of your questions.
Ensilo's security team reports that running malicious code on a Windows computer was one of the many ways the attackers can use AtomBombing.
Attackers could use the technique to get screenshots, extract sensitive information, even encrypted passwords.
Agreement with research, το Google Chrome κρυπτογραφεί αποθηκευμένους κωδικούς πρόσβασης χρησιμοποιώντας το API του Windows Data Protection. So any attack on a process running in the context of the active user could gain access to the sensitive data in plain text.
Ensilio believes Microsoft can not repair AtomBombing exploit. Microsoft, on the other hand, has not issued an announcement.