A newly discovered vulnerability can enable any malware to bypass all security solutions on Windows 10 machines. This means it can affect any of the 400 million computers running Windows 10 PC globally.
Check Point uncovered the technique, called Bashware. It leverages a new Windows 10 feature called Subsystem for Linux (WSL), which recently went out of beta stage and is now a fully supported Windows feature. This feature makes the popular ‘bash’ terminal available for Windows OS users, which allows users to natively run Linux operating system executables on the Windows operating system.
However, existing security solutions (including anti-virus, inspection tools and anti-ransomware, among others) are still not adapted to monitor processes of Linux executables running on Windows OS, a hybrid concept which allows a combination of Linux and Windows systems to run at the same time.
This may open a door for cybercriminals wishing to run their malicious code undetected, and allow them to use the features provided by Windows Subsystem for Linux to hide from security products that have not yet integrated the proper detection mechanisms.
“Bashware is so alarming because it shows how easy it is to take advantage of the WSL mechanism to allow any malware to bypass security products,” researchers said, in an analysis. “We tested this technique on most of the leading anti-virus and security products on the market, successfully bypassing them all.”
Bashware does not leverage any logic or implementation flaws in WSL’s design, they added. In fact, WSL seems to be well designed.
“What allows Bashware to operate the way it does is the lack of awareness by various security vendors, due to the fact that this technology is relatively new and expands the known borders of the Windows operating system,” the researchers said. “However, we believe that it is both vital and urgent for security vendors to support this new technology in order to prevent threats such as the ones demonstrated by Bashware.”
Check Point noted that Microsoft has already taken steps that should assist the security vendors to deal with the new security considerations presented by WSL, including a Pico APIs that can be used by AV companies in order to monitor these types of processes. Now, it’s up to the vendors to incorporate them.
“With a growing number of cyber-attacks and the frequent news headlines on database breaches, spyware and ransomware, quality security products have become a commodity in every business organization,” Check Point concluded. “Consequently a lot of thought is being invested in devising an appropriate information security strategy to combat these breaches and providing the best solutions possible.”