Security Experts:

Connect with us

Hi, what are you looking for?



AtomBombing: The Windows Vulnerability that Cannot be Patched

Researchers have discovered a code-injection vulnerability in the Windows operating system that cannot, because of the nature of the operating system, be patched. It could be used to bypass current malware protection solutions in place.

Researchers have discovered a code-injection vulnerability in the Windows operating system that cannot, because of the nature of the operating system, be patched. It could be used to bypass current malware protection solutions in place.

“Unfortunately,” writes enSilo researcher Tal Liberman in a report published Oct. 27, “this issue cannot be patched since it doesn’t rely on broken or flawed code — rather it’s a flaw in how these operating system mechanisms are designed.”

The attack technique has been labeled ‘AtomBombing‘. It manipulates Windows’ underlying Atom Tables mechanisms. Atom Tables are used to hold data strings. Applications place the strings into the table and receive back an ‘atom’ identifier for the string.

Windows has several different Atom Tables for different purposes. The Global Atom Table can be used to share data between different DDE applications. “Rather than passing actual strings, a DDE application passes global atoms to its partner application. The partner uses the atoms to obtain the strings from the atom table,” explains Microsoft’s own data sheet

enSilo has discovered that an attacker can write malicious code into an atom table, and force a legitimate program to retrieve that malicious code. Furthermore, wrote Liberman, “We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code.”

The result is that maliciousness has been passed from an unknown malicious application to a known good application or process. While security defenses are on red alert to detect and block malicious applications, they often whitelist known good applications or processes. That is the attraction of ‘code injection’ as an attack vector: where it can be achieved, it can be used, notes Liberman, “to bypass security products, hide from the user, and extract sensitive information that would otherwise be unattainable.”

Liberman gives two examples of how AtomBomb code injection can help the attacker to access context-specific data. The first is taking screenshots. Processes can only do this from within the context of the user’s desktop. Malware, however, usually lands in the services desktop, and is unable to execute user screenshots. AtomBombing would allow the attacker to inject code from the services desktop into a process already running within the user desktop, take the screenshot, and pass it back to the malware in the services desktop.

The second example is access to encrypted passwords. Chrome, for example, encrypts users’ stored passwords using the Windows Data Protection API (DPAPI) together with data derived from the current user. Again, passwords can only be accessed from within the user context — which AtomBombing can achieve. “If the malware injects code into a process that’s already running in the context of the current user,” writes Liberman, “the plain-text passwords can be easily accessed.”

The problem for users is that AtomBombing cannot be fixed — it’s the way Windows works. With no chance of a patch, the solution is some other form of mitigation. enSilo believes the issue is another argument for a shift of emphasis from attack prevention to consequence mitigation. “Under the assumption that threat actors will always exploit known and unknown techniques, we need to build our defenses in a way that prevents the consequences of the attack once the threat actor has already compromised the environment.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.