UPDATED 09:00 EDT / JULY 31 2018

INFRA

Microsoft Component Object Model vulnerability allows for Windows hijacking

Security researchers at Cyberbit Ltd. have uncovered a new way that hackers can hijack Windows installations using a vulnerability in Microsoft Corp.’s Component Object Model.

The Microsoft COM is a platform-independent, distributed, object-oriented system for creating binary software components that can interact with each other. They’re the foundation technology for Microsoft’s OLE that allows embedding and linking to documents and other objects and ActiveX, a software framework for content downloaded from a network, particularly from the web.

The technique discovered by Cyberbit involves code injection using Phantom COM objects that are detected by Windows as being legitimate because they use the object ID of a trusted application. In bypassing existing security methods, hackers can inject a malicious file that may result in the file being loaded and executed by the operating system.

A proof-of-concept detailed by Cyberbit shows that the method is fairly simple to apply. “We mapped the registry keys which failed to find and load a file and attempted to use these keys to load our own dummy DLL,” the researchers explained. “As we expected, we were able to do this with numerous keys and successfully loaded and ran our DLL within the context of legitimate applications such as explorer.exe svchost and powershell.”

Although this is the first time the technique has been detailed, the researchers discovered several samples that use these keys in the wild, but not as many as they would have expected “given the simplicity of using these techniques and the lack of security awareness for this risk.”

“Our little experiment was a troubling success,” they concluded. “We discovered that hundreds of registry keys are vulnerable to COM hijacking and Phantom COM Objects loading. This process is very easy for attackers to implement and does not require sophisticated or code injection which is more visible to detection platforms. It is more dangerous because it run using legitimate user privileges, often does not require reboot and may not have any visible side effects on the user.”

The researchers recommend that organizations verify that their endpoint security vendors mitigate the risk by monitoring COM search order hijacking and Phantom COM objects loading and that endpoint security vendors increase their awareness and support against the technique.

Image: Cyberbit

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU