Security Experts:

Connect with us

Hi, what are you looking for?



AtomBombing: The Windows Vulnerability that Cannot be Patched

Researchers have discovered a code-injection vulnerability in the Windows operating system that cannot, because of the nature of the operating system, be patched. It could be used to bypass current malware protection solutions in place.

Researchers have discovered a code-injection vulnerability in the Windows operating system that cannot, because of the nature of the operating system, be patched. It could be used to bypass current malware protection solutions in place.

“Unfortunately,” writes enSilo researcher Tal Liberman in a report published Oct. 27, “this issue cannot be patched since it doesn’t rely on broken or flawed code — rather it’s a flaw in how these operating system mechanisms are designed.”

The attack technique has been labeled ‘AtomBombing‘. It manipulates Windows’ underlying Atom Tables mechanisms. Atom Tables are used to hold data strings. Applications place the strings into the table and receive back an ‘atom’ identifier for the string.

Windows has several different Atom Tables for different purposes. The Global Atom Table can be used to share data between different DDE applications. “Rather than passing actual strings, a DDE application passes global atoms to its partner application. The partner uses the atoms to obtain the strings from the atom table,” explains Microsoft’s own data sheet

enSilo has discovered that an attacker can write malicious code into an atom table, and force a legitimate program to retrieve that malicious code. Furthermore, wrote Liberman, “We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code.”

The result is that maliciousness has been passed from an unknown malicious application to a known good application or process. While security defenses are on red alert to detect and block malicious applications, they often whitelist known good applications or processes. That is the attraction of ‘code injection’ as an attack vector: where it can be achieved, it can be used, notes Liberman, “to bypass security products, hide from the user, and extract sensitive information that would otherwise be unattainable.”

Liberman gives two examples of how AtomBomb code injection can help the attacker to access context-specific data. The first is taking screenshots. Processes can only do this from within the context of the user’s desktop. Malware, however, usually lands in the services desktop, and is unable to execute user screenshots. AtomBombing would allow the attacker to inject code from the services desktop into a process already running within the user desktop, take the screenshot, and pass it back to the malware in the services desktop.

The second example is access to encrypted passwords. Chrome, for example, encrypts users’ stored passwords using the Windows Data Protection API (DPAPI) together with data derived from the current user. Again, passwords can only be accessed from within the user context — which AtomBombing can achieve. “If the malware injects code into a process that’s already running in the context of the current user,” writes Liberman, “the plain-text passwords can be easily accessed.”

The problem for users is that AtomBombing cannot be fixed — it’s the way Windows works. With no chance of a patch, the solution is some other form of mitigation. enSilo believes the issue is another argument for a shift of emphasis from attack prevention to consequence mitigation. “Under the assumption that threat actors will always exploit known and unknown techniques, we need to build our defenses in a way that prevents the consequences of the attack once the threat actor has already compromised the environment.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.