According to a write-up on security blog, Breaking Malware, the bug in the system is a coding error that affects the PsSetLoadImageNotifyRoutine, which is supposed to monitor what modules are loading.“During research into the Windows kernel, we came across an interesting issue with PsSetLoadImageNotifyRoutine which as its name implies, notifies of module loading,” explains the security firm enSilo on its blog.
Microsoft Security Response Center has been sitting on the bug all year bug in the Microsoft Windows kernel can render security tools useless by blocking the detection of malware threats by a system utility written specifically to highlight potential threats to security software “The thing is, after registering a notification routine for loaded PE images with the kernel the callback may receive invalid image names.
“After digging into the matter, what started as a seemingly random issue proved to originate from a coding error in the Windows kernel itself. This flaw exists in the most recent Windows 10 release and past versions of the operating system, dating back to Windows 2000.”
The bug defeats the purpose of the PsSetLoadImageNotifyRoutine, which is designed to spot malware threats as they make their way through Windows. It is also rather ironic. Bleeping Computer has spoken to one of the security researchers, Omri Misgav, who said that Microsoft did not see the issue as a security problem.
“We did not test any specific security software,” Misgav told Bleeping Computer. “We are aware that some vendors do use this mechanism, however at this point in time we cannot say if and how the use of the faulty [PsSetLoadImageNotifyRoutine] information affects them.”