Malware authors can exploit a flaw in the Windows Code Integrity Guard (CIG) security mechanism to inject malicious, unsigned code into CIG-protected applications, considered to be immune to such attacks.

The technique —named CIGslip— impacts Microsoft's Code Integrity Guard (CIG), a security system that Microsoft first introduced in 2015 with the launch of Windows 10.

CIG was part of Device Guard, and Microsoft used this mechanism to prevent tampering of OS drivers loaded in Windows 10. Following its launch, Microsoft expanded CIG to Microsoft Edge [1, 2], and later also allowed software developers to deploy CIG with their own applications.

An application coded to support CIG will only load code (DLLs, binaries) that are signed with a Microsoft or Windows Store certificate.

CIG's main benefit is that even if a user's computer is infected, malware won't be able to inject malicious code into CIG-protected apps. For example, a banking trojan won't be able to load the code necessary to show phishing pages inside Edge, a CIG-protected app.

CIGslip attack bypasses Code Integrity Guard protections

But MorphiSec security researchers revealed today that there is a way to bypass CIG checks by placing the malicious code inside a non-CIG process and injecting it into a CIG-protected app from there.

The technical details of the CIGslip attack are detailed in more depth in MorphiSec's CIGslip report. A video demo is available here.

Expect CIGslip in banking trojans and adware

Michael Gorelik, Morphisec CTO and VP of R&D, says CIGslip has "serious destructive potential if becomes popular."

Banking trojans are probably the first place someone could expect to see CIGslip, but the attack is just as useful for adware developers, always looking for new ways to overlay ads on top of legitimate sites.

But Gorelik argues that the technique could also be abused by legitimate security vendors as well. The reason is that for an antivirus to check browser-based malware, they need to go through a lengthy technical and legal process and have Microsoft sign the AV's DLLs. CIGslip also allows shady antivirus makers a way around this lengthy and cumbersome process.

Microsoft notified, but a patch isn't coming right away

MorphiSec has notified Microsoft of their findings, but despite the attack's gravity, Microsoft has not classified CIGslip as a security issue. The reasons are explained in Microsoft's bug bounty program, here.

This doesn't mean Microsoft doesn't plan to fix CIGslip, but only that it won't prioritize the patch as a "security update," which usually receive more attention and urgent patches part of the monthly Patch Tuesday security updates. A CIGslip patch will probably land at a later time.