Several versions of Microsoft Windows had an extra feature – called AppLocker – for business-minded users to blacklist or whitelist particular applications. This should reduce the risk of being infected with malware or virii, but the feature can rather easily be bypassed by the look of things.
Bypassing Windows AppLocker With Relative Ease
Windows is often targeted by Internet criminals all over the world, as it is the most popular operating systems across computers and some tablets. Given the recent increase in crypto-ransomware threats, it only seems normal most of these malware infections occur when Windows machines are involved, and it looks like the threat is far from over.
The AppLocker security features found in business-focused versions of Microsoft Windows can easily be disabled by making a small change to the computer register. Although most enterprises use this feature to restrict application usage and access in an attempt to prevent malware infections, it looks like they will have to find alternative solutions.
A recent study by security researcher Casey Smith shows how AppLocker is vulnerable to an exploit that will actually disable this checking procedure. Granted, the computer itself would need to have modifications made by Regsvr32, so it points to a remotely hosted file, but doing so would let systems run just about any application in the world.
Unfortunately, there is no patch to address this vulnerability just yet, although Windows users can rest assured Microsoft is well aware of this situation. One temporary solution enterprises could make use of is by letting Windows Firewall block Regsvr32, preventing it from accessing any online file. For companies dealing with dozens of computer son their network, this is far from a perfect solution, though.
Until this AppLocker flaw can be fixed, hackers and Internet criminals will be able to exploit this vulnerability and target enterprises with all kinds of malware. It is not unlikely we will see more crypto-ransomware infections in the coming weeks. Given the stealthy nature of this alteration to Regsvr32, there is hardly a way to detect these changes either, as no administrator access is required to do so.
Are you using AppLocker, and if so, are you concerned about this vulnerability? Let us know in the comments below!
Images courtesy of Microsoft Windows, ShutterstockShow comments