Skip to content
November 8, 2016 / Rafal Wojtczuk

Thoughts on the recent “NtSetWindowLongPtr” vulnerability

On October 31, Google security team has announced it has discovered a vulnerability, actively exploited the wild, in (unspecified) versions of Microsoft Windows. The vulnerability is a local privilege escalation, allowing an unprivileged user to gain kernel privileges. The original advisory is here.

On November 1, Alex Ionescu posted on his blog some remarks (here and here) about the nature of the vulnerability.

No public exploit code is known at the time; the information mentioned above is not sufficient for the author to reproduce the vulnerability. Still, some details can be deduced:

  • One of the exploitation steps is issuing the win32k NtUserSetWindowLongPtr syscall, in order to set one of the field (“spmenu”) in the kernel data structure describing a window.
  • The “spmenu” field semantics is different depending on the style of the window. If the window has WS_CHILD attribute, “spmenu” stores menu id, and kernel allows to set it to an arbitrary value. Without WS_CHILD attribute, “spmenu” is a pointer to kernel data structures.
  • Generally, kernel code is careful to use the “spmenu” field properly. Particularly, when changing the windows style from WS_CHILD to non-WS_CHILD, the “spmenu” field is reset to 0, to prevent referencing arbitrary pointer.
  • Apparently, under unspecified conditions, it is possible to force the kernel to treat “spmenu” as trusted pointer, which likely results in arbitrary code execution in kernel context.

Again, the vulnerability is a local privilege escalation, meaning attacker needs to be able to run arbitrary code on the victim machine. Still, it seems that attacker needs very limited privileges (just the ability to issue win32k syscalls) to run an exploit. In the Google announcement, the possibility to break from a sandbox is explicitly mentioned. Interestingly, a vulnerability in Adobe Flash was discovered in the wild at the same time.

Thus, attacker used the following steps:

  1. Entice the victim to open in a browser a webpage containing browser exploit code.
  2. Use the browser exploit (based on Flash vulnerability or anything else) and achieve arbitrary code execution. In most cases, the code will run in a sandbox, with limited privileges.
  3. Use the kernel vulnerability to get full control over the machine.

A very interesting question is which sandboxes can be breached via NtSetWindowsLong vulnerability? Without the full knowledge of the vulnerability internals, we cannot
be sure but we can make educated guesses. The following cases are most likely affected, because there are no restrictions on using win32k syscalls in the respective sandbox:

  • Chrome browser on Windows 7
  • Internet Explorer
  • Edge before Windows 10 1607 (aka “anniversary update”)

Chrome browser on Windows 8 and 10 is not affected. When running on these OS’s, Chrome sandbox uses the “win32k lockdown” mechanism, that forbids issuing any win32k system calls, thus mitigating the vulnerability.

The most interesting case is Edge on Windows 10 1607. In this case, the sandbox does not block all win32k system calls. Instead, only some of them are filtered out, as described in MS presentation on Windows 10 mitigations. Particularly, the NtuserSetlongptr syscall is not blocked; therefore, Edge sandbox on Windows 10 1607 is likely affected.

This particular vulnerability is unusual mostly because it was announced before a patch was available (the patch is expected to be available on regular Patch Tuesday, today, November 8). In fact, win32k vulnerabilities are common; until November, this year there were 31 CVE items related to win32k mentioned in Microsoft security bulletins. It is expected – win32k driver is huge, exposing broad interface to the potentially malicious usermode.

So far, only Chrome browser uses full win32k lockdown. Still, it does not protect against other (not in win32k driver) kernel vulnerabilities – while much less frequent, they do happen.

In order to get mitigation against all kernel vulnerabilities, for many more applications, we need another layer of isolation. Hypervisor-based technology helps with that. If we run malicious code in VM, then even if the former achieves kernel privileges, then still the VM can contain the malware. Even though hypervisor itself can potentially have bugs as well, the attack surface of a well-written hypervisor is way smaller than the attack surface of Windows kernel.

Bromium vSentry isolates each supported application in a VM, and therefore breakouts from sandboxes via Windows kernel vulnerabilities are of little concern for vSentry users.

August 4, 2016 / Rafal Wojtczuk

Blackhat USA presentation on Windows 10 VBS

Today I presented at Blackhat USA conference. The talk is titled “Analysis of the attack surface of Windows 10 virtualization-based security”. The main points of the presentation were:

  1. Currently VBS provides protection only for few specific attacks. Many typical malware actions (e.g. ransomware) are not affected by it.
  2. Credential Guard stops the classical pass-the-hash scenario. However, an attacker capable of running his code in the context of the logged-in user can still use user’s credentials in order to authenticate to remote servers, and thus perform lateral movement.
  3. Hypervisor-enforced kernel code integrity places additional restrictions on what kernel exploits can achieve. A vulnerability fixed in MS16-066, allowing to run unsigned code in kernel context, is discussed.
  4. VBS architecture is very different from other virtualization-based solutions. Possible attack vectors, specific to VBS, are discussed; particularly, reliance on UEFI and hardware security is highlighted.
  5. A special case of the above, namely SMM vulnerabilities, are clearly the most severe threat. Exploitation of them is nontrivial and firmware-specific, but recently there were many examples (e.g. thinkpwn), resulting in full bypass of all VBS features.

The slides and whitepaper are available for download; the latter is more detailed.

May 25, 2016 / Josh Stroschein

Am I in a VM? – The tale of a targeted Phish

Office documents have been a favorite method of distribution for malware authors for several years. While most malware authors go to great lengths to hide the intention of their macros through obfuscation, it is seldom that we encounter macros that also exhibit anti-analysis techniques. We recently examined an office document that contained such capabilities. This document was used in a spear phishing campaign to target an executive at a well-known publicly traded company.

What first stood out about this document was that when it was opened in a virtual environment, no malicious activity was observed. The content of the document used social engineering to get the user to enable macros.

Malicious Word Document Content
Further inspection of the document revealed that it contained several macro streams:

Document Streams

The macros were obfuscated as can be seen in the Document_Open() function, which will execute when the document is opened.

Macro Auto Open

Read more…

April 18, 2016 / Jared DeMott

Ransomware is a very hot topic right now. In fact, some are saying this will be the year of the ransom (LA Times). That is, ransomware is the single biggest (but not the only) threat to individuals and corporations this year. The FBI has even been meeting with organizations both publicly and privately to help raise awareness (FBI).

Heating up?

Yes. Blackmail has always been in the physical world. But it’s finding new legs on the Internet right now. Malware could do anything. From sabotage to spying. But stealing money is the cybercrime favorite. In the past, stealing bank numbers and credit cards was the path toward evil riches. However, banks have established more anti-fraud measures, making this technique difficult.


Attackers lock an organization or individual’s files, and agree to unlock them only if they pay a ransom. Getting paid with crypto-currency (bit coins) is the new fastest and safest way for bad guys to monetize a victim. The ransom for mass victims tends to be reasonable: ~$300USD is the average ask (CNET). Other times, the bad guys get directly involved to get a big fish on the hook, and ask for much more.


Ransomware doubled in 2015. The number of ransomware families has increased 600 percent from ~2 in 2013 to ~12 in 2015 (Bromium 2015 Threat Report). Here’s another way to visualize that data from a recent threat report (Symantec):


As with any success, copycats will always want to jump on the bandwagon. Expect to see many new variants of crypto-ransomware coming in the next year or two. Jigsaw (ComputerWorld) begins deleting files as you delay, almost like killing hostages one-by-one. Targeting backup files is effective against organization data (ABC News). And of course, the “best” ransomware includes good “customer service” helps victims pay (Reuters).

Hard to stop?

Yes. For most anyway. Typical security products are detectors. They require a constantly updated set of rules to try and block/detect infections. The problem: Angler is the crafty exploit kit of choice, and is currently managing to infect computers anyway. Angler is tending to drop ransomware, which is constantly re-encoded to bypass file analysis techniques. Thus, the only reliable way to stop ransomware is via security through isolation (what Bromium does). To read more about exploit kits, see:


The FBI recommends not clicking on suspicious links and backing up data (FBI). That’s good advice. But there are problems with both. First, people need to be able to click links and open documents to do their job. Imagine an HR employee who is told not to open PDFs? That’s how resumes come! Second, when backups are done, they’re not always stored offline. The real threat to organizations when a ransomware hits, is that their network shares (which might be where backups are stored) are encrypted.

Are you ready?

No. Many individuals and even companies do not have sufficient backups of critical data. Also, they do not have protections that can fully stop malware infections from getting in. That’s because detection is always a step behind. And while detection can help organizations hunt for unknown infections, there’s not as much need to find ransomware. You’ll know when you get hit. When you hear your system administration screaming; that might be the first clue.

Should I pay?

Of course not. Criminals will use the money to conduct R&D for more crime. There is also no certainty they’ll leave the system once (if) you get your files back. However, typically they do return the files, and most sources admit, there are cases where paying makes sense. For example, the hospital that couldn’t treat patients until their network returned paid the $17,000USD because risking any more time was not an option (LA Times).


This video provides a live walkthrough of a real ransomware sample. That’s what we really wanted to provide in this blog. We want to show how straightforward Ransomware is, and how easy it is for us to block and report.


Ransomware is going to hit your organization at some point. Will you be isolating those events, or dealing with the aftermath? Because ransomware has been so effective, more complicated strands are defiantly coming to a computer near you.

Works Cited

ABC News. Researchers: Newer Type of Ransomware Is Harbinger of Danger.

Bromium 2015 Threat Report.

CNET. Ransomware is the hot hacking trend of 2016.

ComputerWorld. Jigsaw ransomware deletes more files the longer you delay paying.

FBI. Ransomware awareness.

LA Times. 2016 is shaping up as the year of ransomware.

LA Times. Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating.

Reuters. Ransomware: Extortionist hackers borrow customer-service tactics.

Symantec. Internet Security Threat Report . VOLUME 21, APRIL 2016 .

March 9, 2016 / Vadim Kotov

Macro-Malware Connecting to GitHub

Just yesterday McAfee Labs reported macro malware hiding payload in text forms. That same day we found a sample fetching its payload from GitHub.

As usual the attack starts with a spam email with the attachment named:

<organization name>’s_Overdue Invoice_(007-153315).doc

Pretty nice name, some people may actually buy this as it isn’t any generic random name like invoice_confirmation.doc – it actually contains the organization’s name.

The document has the following structure: Read more…

March 8, 2016 / Jared DeMott

Angler EK – A Bromium Discussion

Disruptive attacks against individuals and organizations are rapidly rising, as was noted in recent security reports (Mandiant, A Fireeye Company, 2016).  As an example, ransomware has been a big problem. As we look at customer security alerts we note that ransomware could have been a problem for our clients as well. Thus, we decided to compare a typical approach to stopping evolving threats, to the Bromium approach.

Read more…

February 3, 2016 / Vadim Kotov

Macro Redux: the Premium Package

Earlier this week we came across an interesting spam email. It was targeted at one of our customers in the retail industry. It contained a Microsoft Word document (MD5 = b74604d0081e68e91d64b361601d79c4) with a rather small macro in it. All that macro did was save a copy of the document as RTF, open it and then launch an executable from user’s temp folder. The interesting bit is that it did not explicitly drop or download the executable, it was just supposed to be there somehow.  Turns out the malicious executable was embedded into the document as a package and dropped by MS Office itself. For the full details read on.

Read more…

December 3, 2015 / Vadim Kotov

A Micro-view of Macro Malware

Dridex is a botnet with multiple features, it is most known for stealing people’s credentials on finance-related web sites. Despite the arrest of the gang behind the Dridex malware campaigns, the samples keep popping up on our customers’ machines. And other research groups noticed that as well.

Most of the Dridex attacks we see were triggered by malicious Microsoft Word or Excel in the result of spam disseminations.  Microsoft Office allows its users to create macros – scripts in Visual Basic for Applications (VBA). This feature is used by many companies as a quick and easy way to automate certain parts of their business workflow. Naturally, malware writers take advantage of it. They can create a macro that downloads and executes malware on the victim’s machine, trick a user into opening the document, and trick them into allowing the macro to run. This part of the attack is more in the field of social engineering as attackers must convince a user to open a malicious email attachment and convince them to allow macros (macros won’t run by default).

Microsoft tried to raise awareness earlier this year, but little seems to have been done since then as the spam campaigns featuring macro malware have increased and evolved to become more effective.

Read more…

November 3, 2015 / Rafal Wojtczuk

Xen security advisories from October 2015 and Bromium vSentry

Nine Xen hypervisor security advisories – XSA-145, XSA-146, XSA-147, XSA-148, XSA-149, XSA-150, XSA-151, XSA-152, XSA-153 were released on October 29. The good news is that none of them impact Bromium vSentry hypervisor. The most notable one is XSA-148:

Read more…

September 28, 2015 / Rafal Wojtczuk

An interesting detail about Control Flow Guard

On Windows systems, before Windows 8.1 update 3, C code calling a function pointer used to be compiled to just a simple “call register” instruction; for example, in a 32bit process:

call esi

Starting with Windows 8.1 update 3, in all system libraries, it is more complicated:

mov ecx, esi
call ds:___guard_check_icall_fptr
call esi

Read more…