The Applocker feature is undoubtedly helpful for companies eager to keep malware or virus off their network, as the feature Applocker allows administrators to whitelist and blacklist apps. But we have bad news about the windows Applock feature.
A new security flaw was discovered by the researcher Casey Smith which lets hackers bypass the security feature Applocker and provide access to run any application on windows without administrators rights, as the researcher Casey Smith blogged about his detection and published the proof of concept scripts on GitHub to show and explain it.
New Security Flaw Lets Hackers Run Any App On Windows
According to the researcher Casey Smith, the new security flaw allows hackers to use the remotely hosted file (such as a script) “Regsvr32.eve” to install the app, which allows the hackers to install whatever app they want without the administrator access or even modifying the registry and this is what the hackers and the virus writers are looking for.
Hence, this flaw makes it very difficult to reverse the changes done by the attackers or hackers, as well as it is also very difficult to monitor unauthorized use.
The flaw was discovered by the researcher Casey Smith can exploit the business editions of Windows; the researcher Casey Smith wrote that “The amazing thing here is that regsvr32 is already proxy aware, uses TLS, follows redirects, etc…And.. You guessed a signed, default MS binary”.
Microsft has yet not confirmed the vulnerability discovered by the researcher Casey Smith; hence, there is no known patch for the flaw which exploits Windows AppLocker yet.
But, in the meantime, the consultant at Brown Hat Security and guest blogger at AlienVault, Eric Rand, suggests blocking Internet access of the Regsvr32.exe and Regsvr64.exe apps via Windows Firewall, which will prevent them from accessing the online files. At the same time, it will not be a good idea if you are thinking of protecting multiple or a bunch of windows computers.