A researcher has discovered a way for attackers to sneak remotely hosted, unauthorized applications—more specifically, COM (Component Object Model) objects—past Microsoft Windows' whitelisting security feature Applocker, by abusing the command-line utility Regsvr32.
Normally, Regsvr32 allows users to register Dynamic Link Library (DLL) files and ActiveX controls, but on his blog, Colorado-based researcher Casey Smith recently explained that hackers can place a malicious script block inside the registration tag, and then have Regsvr32 successfully execute the code. The trick works on the business editions of Windows 7 on up.
No administrator access is required to perform this workaround, and the process does not alter the system registry, making this vulnerability-based hack a difficult one to detect.
