New Microsoft Kernel Bug Could Permit Malicious Modules

A Microsoft kernel flaw has been discovered in the PsSetLoadImageNotifyRoutine in all operating systems from Windows 2000 to the most recent version of Windows 10.

Microsoft launched PsSetLoadImageNotifyRoutine in Windows 2000 to notify registered drivers in different parts of the kernel when a PE image file has been loaded or mapped into memory. Highest-level system-profiling drivers can call it to set up their load-image notify routines.

Researchers at endpoint security firm enSilo found a flaw in Microsoft’s API while digging into the Windows kernel. They noticed that after registering a notification routine for loaded PE images with the kernel, the callback may receive invalid image names. The problem was first believed to be a random issue but is actually rooted in the kernel.

Source: Dark Reading