Discovered by security researcher Casey Smith, the flaw allows hackers to use the Regsvr32.eve to install the app, by directing it to a hosted file or script. The app or script can then be installed, without administrator access or even modifying the registry - making it very difficult to reverse changes or monitor unauthorised use. The flaw, which could result in the PC installing malicious apps despite having Windows AppLocker, can be exploited in business editions of Windows 7 and higher.
"The amazing thing here is that regsvr32 is already proxy aware, uses TLS, follows redirects, etc...And.. You guessed a signed, default MS binary," wrote Smith while explaining the flaw in a blog post.
The Colorado-based Casey Smith also posted proof of concept scripts on GitHub to show the vulnerability.
Microsoft is yet to comment on the vulnerability and or release a patch for its Windows AppLocker. In the meanwhile, Eric Rand of Brown Hat Security (https://brownhatsecurity.com/mitigation-for-whitelisting-bypass-using-regsvr32-white-register.html ) has mitigation and suggests blocking Internet access of the Regsvr32.exe and Regsvr64.exe apps via Windows Firewall. He says, "There is at this time no patch available, but mitigation is possible via the Windows Firewall. Block %systemroot%\System32\regsvr32.exe and %systemroot%\SysWoW64\regsvr32.exe from network access and the largest threat surface will be mitigated."
Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.