Attackers can 'AtomBomb' every version of Windows

A newly-discovered technique allows attackers to bypass the security protections of every version of Microsoft's Windows operating system to inject malicious code and compromise victim PCs, researchers have revealed.

The "AtomBombing" attack - detailed by IT security form enSilo - relies on the use of Windows atom tables, which allow applications to store, access, and share data.

The researchers said a design flaw in Windows makes it possible for attackers to write malicious code into an atom table and force a legitimate application to retrieve it. Programs that have retrieved the malicious code can then be manipulated to execute it.

Injecting malicious code into legitimate processes makes it easier for attackers to bypass security protections, the researchers said.

"For example, let's say an attacker was able to persuade a user to run a malicious executable, evil.exe. Any kind of decent application level firewall installed on the computer would block that executable's communication," the enSilo researchers wrote.

"To overcome this issue, evil.exe would have to find a way to manipulate a legitimate program, such as a web browser, so that the legitimate program would carry out communication on behalf of evil.exe."

The code injection attack allows threat actors to not only bypass process level restrictions but also access context-specific data (like screenshots), perform man-in-the-middle browser attacks, and access encrypted passwords stored on Google Chrome.

The firm said all versions of Windows were affected. It specifically tested on Windows 10.

Given the technique uses legitimate operating system functions to perform an attack, users will find it difficult to patch against, enSilo said.

However, it suggested organisations monitor for suspicious changes within application programming interface (API) calls.