A new security flaw was discovered by the researcher Casey Smith which lets hackers bypass the security feature Applocker and provide access to run any application on windows without administrators rights, as the researcher Casey Smith blogged about his detection and published the proof of concept scripts on GitHub to show and explain it. According to the researcher Casey Smith, the new security flaw allows hackers to use the remotely hosted file (such as a script) “Regsvr32.eve” to install the app which allows the hackers to install whatever app they want without the administrator access or even modifying the registry and this is what the hackers and the virus writers are looking for. Hence, this flaw makes it very difficult to reverse the changes done by the attackers or hackers, as well as it also very difficult to monitor the unauthorized use. The flaw which was discovered by the researcher Casey Smith can exploit the business editions of Windows, the researcher Casey Smith wrote that “The amazing thing here is that regsvr32 is already proxy aware, uses TLS, follows redirects, etc…And.. You guessed a signed, default MS binary”. Microsft yet not confirmed the vulnerability which was discovered by the researcher Casey Smith and hence, there is no known patch is there for the flaw which exploits Windows AppLocker yet. But, in the meantime the consultant at Brown Hat Security and guest blogger at AlienVault Eric Rand suggests to block Internet access of the Regsvr32.exe and Regsvr64.exe apps via Windows Firewall, which will prevents it from accessing the online files, while it will be not a good idea if you are thinking to protect multiple or a bunch of windows computers.
Δ
