A researcher has found a Windows flaw that centres around the Applocker. Applocker is a feature in Windows 7 and Windows Server 2008 R2 that allows you to specify which users or groups can run particular applications in your organization based on unique identities of files. If you use AppLocker, you can create rules to allow or deny applications from running.
Today’s organizations face a number of challenges in controlling application execution, including the following:
- Which applications should a user have access to run?
- Which users should be allowed to install new software?
- Which versions of applications should be allowed?
- How are licensed applications controlled?
Put simply with this tool, only apps you allow will open but now an American researcher Casey Smith says by using Regsvr32, you can point it to a remotely hosted file (such as a script), you can make a system run whichever app you want — just what hackers and virus writers are looking for. It’s stealthy, too, as it doesn’t require administrator access or give itself away through registry changes.
Smith has even gone further to publish a proof-of-concept script on GitHub.
In the meantime though until Microsoft can issue a permanent fix, you can disable Regsvr32.exe and Regsvr64.exe’s access to network from Windows Firewall.