Windows 10 null character flaw keeps malware hidden from security scanning tools

The Windows 10 interface that allows apps to connect to antivirus software is truncating files, causing compromised code to come back clean.

Microsoft gives a green light to stronger Windows security
Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • The Windows 10 anti-malware scan interface, which handles malware scan requests from inside applications, was found to be truncating files whenever a null character was read, leaving lines of code unscanned.
  • The February Windows 10 security patch fixes the exploit and should be installed immediately.

Windows 10's anti-malware scan interface (AMSI) is truncating files whenever it detects a null character, leaving malicious code included after unscanned.

The ASMI flaw was detected by security researcher Satoshi Tanda, who revealed it in a February 16 blog post. Microsoft fixed the flaw in its February security update, which is why Tanda published his piece breaking down all the details of this serious security flaw.

It isn't known if this Windows 10 AMSI exploit has been used by actual attackers, but with it now being publicly known it's sure to be attempted. With a patch already available for the problem, anyone who falls prey to it will be in the same boat as victims of other high-profile cyberattacks; that is, guilty of not installing essential Windows 10 security updates.

Anatomy of an AMSI exploit

If you're not familiar with how AMSI works, that's understandable--it's a mostly invisible background process that acts as a go-between for antivirus software and Windows applications.

When an app needs to scan a file (of any kind), it relies on the antivirus platform running on its host machine. Apps can't talk to antivirus apps by default, but they can talk to AMSI, and AMSI can talk to most antivirus software.

AMSI handles at least part of the scanning for the AV app it interfaces with, and herein lies the problem that Tanda discovered: AMSI simply stops scanning whenever it runs into a null character, which can be any character with all its bits set to zero.

SEE: Securing Windows policy (Tech Pro Research)

Any malicious code hidden after the null character will simply go unscanned, allowing it to safely execute without detection.

This may not seem like a serious issue--after all, malware scans happen outside of AMSI's context all the time, so that code will surely be caught. As Bleeping Computer points out, that isn't necessarily the case since Microsoft designed AMSI to catch things often missed by definition-based AV software.

AMSI, Bleeping Computer's Catalin Cimpanu said, "inspect[s] scripts invoked at runtime, such as PowerShell, VBScript, Ruby, and others." Scripts are a common way of getting malware past antivirus scanners. Anything that makes it easier for attackers to do so, like this flaw, requires immediate action.

Microsoft's latest round of security updates closes this hole, but that doesn't mean attackers won't try to exploit it. WannaCry, Petya, and other widespread cyberattacks from 2017 relied on unpatched systems to propagate.

There's no reason to assume attackers will stop relying on human error to spread malware, so be safe: Install the February Windows 10 security updates ASAP.

Also see

Image: iStock/RGBAlpha