AppLocker: one step forward, two steps back

Found while Googling for stuff on SRP bypasses:

http://blog.didierstevens.com/2011/01/24/circumventing-srp-and-applocker-by-design/

Turns out AppLocker also has a bypass, which MS threw in deliberately to make life easier for developers, or something. WTG.

 

If I'm not mistaken, this is what Microsoft released a hotfix for (after Didier Stevens mentioned it).

 

Yes, here:
http://support.microsoft.com/kb/2532445?wa=wsignin1.0

 

I still have yet to find info on the subject relating to Windows 8. If Applocker on Win8 has the same issue as the one in Win7, I have yet to see a hotfix released for Windows 8...

Anyone knows anything about the matter?

 

This was back in 2011, win 8 does not suffer from it as it was released almost 2 years later (october 2012).

 

You had me worried with that title.
But after reading other posts im much better now.

 

Thanks for the reply but is that based on assumption or have you found any official statement indicating so? If you have tested it, please acknowledge. Reason I'm asking is this:

http://blog.didierstevens.com/2011/11/17/hotfix-for-srpapplocker-bypass/

If you see the comments section on Didier Stevens blog link above, you'll see this written by him:

Aside from that comment by Didier, I searched the web and so far have not found anything substantial on the subject. If the issue still remains in Win8 as Didier mentioned, is MS planning on releasing a hotfix for it? Does anyone have any clues?

 

@ safeguy

I've been wondering that myself, but considering that Microsoft never released a definitive update for Windows 7, is highly unlikely that they "patched" Windows 8. It has always been my thought, and now that you mentioned Didier Stevens says it doesn't, I got no reasons not to believe in him.

After all, it was all by design.

 

It WAS and still IS by design. I have even checked the official MS (TechNet) pages on AppLocker. Here's what I noticed:

Security Considerations for AppLocker ( applies to Windows 8 )

I guess what Didier said is spot on. MS simply does not "consider this an issue". If MS wanted to, they could have patched it in Win7 but they released it as a Hotfix. I wonder how many system admins that deploy Applocker are aware of it? Then, they updated the 'Security Considerations for Applocker' page to include this 'flaw'.

I have posted this same question on this forum in January but I guess members here didn't notice. By the looks of it, there may be a possibility of MS not even releasing a Hotfix for Win8. I hope I'm wrong and would love to be proven wrong...

 

This is just absolutely terrible practice. I wonder how many other integrated Windows measures have bypasses & backdoors inserted into them that aren't known publicly? Kind of makes you sketchy about relying on the integrated security... would rather use an open source 3'rd party solution if there were one available to address the same need.

I'd be using a fully featured HIPS & Truecrypt instead of AppLocker & Bitlocker, that's for damn sure.