One of the big selling points of Microsoft’s Windows 10 Enterprise is that an administrator can lock down software, restricting users to only installing certain, approved, apps. That means that admins don’t really need to worry as much about malware. However, security researcher Casey Smith has found a method for circumventing Microsoft’s AppLocker support.
AppLocker traditionally works by giving system administrators the ability to customize what software a user is and isn’t allowed to install – essentially white-listing and black-listing various applications. However what Smith has discovered is a way to get around that entirely.
The exploit involves using the regsvr32 command-line utility, to point to a remotely hosted file instead. It essentially lets users install or run any application you want, essentially bypassing the entire AppLocker protection system.
No registry changes are involved and as CSOOnline points out, the lack of administrative privileges needed to make this work, means that someone at a company could use this loophole without anyone knowing, essentially giving them free reign on an internal network. That’s particularly dangerous for some organisations.
Microsoft has yet to comment or release an official patch for the bug, but sage advice suggests using Windows Firewall to block regsvr32 from running, thereby making it so that the file that makes all this possible isn’t accessible. There may be a workaround for that, but for system administrators worried that workers will find news of this bug and begin exploiting it, it might not be a bad idea to put that stopgap solution in place.
If you’d prefer a ready made solution, there is some suggestion that the Windows built-in Device Guard, when fully enabled with script protection, does prevent this exploit from being used, though how permanent a solution that is remains to be seen.