April 22, 2016

"If you're relying on Microsoft's AppLocker to lock down your office or school Windows PCs, then you should check this out."

the register: A security researcher says he's found a way to potentially bypass the operating system's software whitelist and launch arbitrary scripts. by Chris Williams

'AppLocker lets IT admins managing large networks of machines define which applications and scripts users can and can't run and install. It was introduced in Windows 7, and the idea is to keep users on the straight and narrow: stop them from launching non-work-related programs, stop them from running malicious programs, or stop them from running programs that will involve lots of support calls.

'A security researcher called Casey Smith has found that AppLocker's script defenses can be potentially bypassed with a pretty simple command.

'Smith found that if you give regsvr32 a URL to parse, it will actually fetch the file over HTTP or HTTPS, even via a configured proxy, and process it. By embedding some JavaScript in the fetched XML, and triggering its execution by requesting a .DLL unregistration, it's possible to run arbitrary scripts bypassing AppLocker and cause mischief. Any user can request this unregistration.

'"It's not well documented that regsvr32.exe can accept a URL for a script," said Smith.'

No comments: