Researcher found CIGslip atttacks that Bypasses Windows Code Integrity Guard (CIG)

Researchers Michael Gorelik and Andrey Diment, an Israeli security firm Morphisec, announced on Wednesday that they have discovered a new attack technology named “CIGslip” that bypasses Microsoft’s Code Integrity Guard (CIG). ) and load unsigned malicious code into a protected process, such as Microsoft Edge.

CIG is the first security mechanism introduced by Microsoft after the launch of Windows 10 in 2015. Microsoft has made it a part of the security mitigation measures for Edge browsers.

Microsoft wrote in its blog post: “Starting with EdgeHTML 13, Microsoft Edge defends the user’s browsing experience by blocking injection of DLLs into the browser unless they are Windows components or signed device drivers. DLLs that are either Microsoft-signed, or WHQL-signed, will be allowed to load, and all others will be blocked. “Microsoft-signed” allows for Edge components, Windows components, and other Microsoft-supplied features to be loaded. ”

The benefit of this security mitigation measure is that it blocks unwanted software. For example, adware and even malware attempt to redirect traffic or steal information by injecting code into Edge browsers. In other words, even if a user’s computer is infected with malware, it cannot inject malicious code into the CIG-protected application process.

The CIGslip attack technology announced by Morphisec’s two researchers broke the protection mechanism of CIG, and attackers can use this technology to bypass the CIG check.

Due to the increasing popularity of the CIG mechanism, Morphisec decided to announce their findings. Because this kind of attack takes up very little space on the system, almost all security mechanisms can’t find it, and now no one can prove that this vulnerability has not been exploited by potential attackers.

Attackers can use CIGslip to insert malware or adware into the Edge browser. Currently, due to the use of CIG, it is difficult for third-party security vendors to protect Edge browsers because each of their DLLs wants to act on a CIG-protected process that first needs to obtain Microsoft’s signature.

Morphisec said that the success of this attack is based on two assumptions: First, it is not possible for the CIG process to run on the system; second, CIG-protected processes can perform processes that are not protected by the CIG.

In simple terms, the first thing an attacker has to do is to gain control of a process that is not protected by the CIG, and then inject malicious code into it. Using this as a “springboard” will eventually work on the CIG-protected application process.

Morphisec disclosed vulnerability details and proof of concept (PoC) codes to Microsoft to help address this vulnerability. Microsoft did not classify CIGslip as a security issue because they believed that CIG could prevent all unsigned DLLs from being loaded, but said that it would fix the vulnerability.

Source: morphisec