You can’t duck and cover from AtomBombing
Wonderful: a security researcher has found a way to abuse the system-level Atom Tables in Windows – all versions of Windows, through to Win 10.
Atom Tables are defined by the system to store strings with an identifier to access them; they can be global (like the tables that pass data via DDE between applications), or local (for use by a single application).
There’s a detailed Microsoft explanation of Atom Tables here.
What enSilo’s research team has found is that they can inject code into Atom Tables.
In its “AtomBombing” attack, an attacker “can write malicious code into an atom table and force a legitimate program to retrieve the malicious code from the table. We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code.”
The company is keeping mum about the precise mechanism of the attack, but says like most code injection attacks, it relies on tricking a user into running a malicious executable (and after all, evil.exe is a pretty common technique).
A successful attack could, however, accomplish quite a lot of evil, the most obvious being snooping on the contents of memory to grab keystrokes or passwords.
The enSilo post also suggests screen-grabs and browser hijack exploits as other applications of AtomBombing.
Tal Liberman, who wrote the post, says since Atom Tables are a fundamental part of the operating system, defenses will have to be put in place at firewalls, to block incoming executables. ®