This article is more than 1 year old

Microsoft says it won't fix kernel flaw: It's not a security issue. Suuuure

So stopping antivirus software from spotting malware is now a feature?

A design flaw within the Windows kernel that could stop antivirus software from recognizing malware isn't going to be fixed, Microsoft has said.

The issue, spotted this week by enSilo security researcher Omri Misgav, lies within the system call PsSetLoadImageNotifyRoutine, which has been part of Microsoft's operating system since Windows 2000 and is still active in the latest builds.

Antivirus tools use PsSetLoadImageNotifyRoutine to check if malicious code has been loaded into memory, but Misgav found that a cunning attacker could use poor coding behind the API to smuggle malware past scanners.

"During research into the Windows kernel, we came across an interesting issue with PsSetLoadImageNotifyRoutine which, as its name implies, notifies of module loading," he said in a blog post.

"The thing is, after registering a notification routine for loaded PE images with the kernel, the callback may receive invalid image names. After digging into the matter, what started as a seemingly random issue proved to originate from a coding error in the Windows kernel itself."

Essentially, malware can use the above API to trick the OS into giving malware scanners other files – such as benign executables – to inspect rather than their own malicious code. This would allow software nasties to evade antivirus packages.

After enSilo notified Microsoft about the issue nothing happened. When Redmond's techies did get in contact, they said that they weren't concerned about the issue – a view also reflected in a statement to The Register:

"Our engineers reviewed the information and determined this does not pose a security threat and we do not plan to address it with a security update."

Crack on, malware writers. ®

More about


Send us news

Other stories you might like