Researchers have uncovered a sophisticated technique to bypass Windows Defender Application Control (WDAC), a critical Windows security feature designed to prevent unauthorized code execution. The bypass leverages vulnerabilities in trusted Electron applications, effectively circumventing one of Microsoft’s most robust security mechanisms aimed at high-assurance environments. This leaves numerous environments vulnerable to this sophisticated WDAC bypass technique, highlighting the ongoing cat-and-mouse game between security mechanisms and innovative exploitation methods. According to lead researcher Valentina Palmiotti, the technique involves targeting signed, trusted Electron applications that contain vulnerabilities in their implementation of the V8 JavaScript engine. By exploiting the underlying V8 JavaScript engine used in these applications, attackers can execute malicious code even under the strictest WDAC policies. It’s particularly valuable in environments where system integrity is paramount, making this discovery especially concerning for organizations relying on WDAC as a core security control. The research revealed that even when an organization implements the most stringent WDAC configurations, these can be circumvented by exploiting vulnerabilities in trusted applications. The bypass demonstrates how trusted applications can become vehicles for attack when they contain exploitable vulnerabilities. What makes this attack particularly stealthy is that the execution occurs within the context of a browser-like process, where behaviors that might otherwise trigger endpoint detection and response (EDR) systems appear normal, such as having RWX (read-write-execute) memory mapped for Just-In-Time compilation. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. While Electron has introduced an experimental integrity verification feature that could prevent such attacks in newer versions, many popular applications have yet to implement this protection. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. WDAC functions as an application whitelisting mechanism, enforcing policies that only allow explicitly trusted executables, scripts, and drivers to run on a system. Since these applications are already whitelisted in WDAC policies, they provide an ideal vector for executing arbitrary code. The bypass technique employs what researchers termed “argument smuggling” to execute malicious code. To overcome inconsistent offsets across different Windows versions, they developed a “Just-in-time exploit engine” that would try multiple possible offsets until successful execution was achieved.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 15 May 2025 16:14:54 +0000