New Windows Driver Signature bypass allows kernel rootkit installs
A new vulnerability allows attackers to bypass Windows Driver Signature Enforcement, downgrading kernel components on patched systems. The Windows Downdate tool facilitates this, highlighting the need for improved endpoint security.
Read original article
A new vulnerability has been discovered that allows attackers to bypass Windows Driver Signature Enforcement (DSE) and install kernel rootkits on fully patched systems. This is achieved by manipulating the Windows Update process to downgrade critical kernel components, such as the 'ci.dll' file, which is responsible for enforcing driver signatures. The researcher Alon Leviev demonstrated this exploit at security conferences, revealing that even updated systems can be made susceptible to previously patched vulnerabilities. Microsoft has acknowledged the issue but claims it does not cross a defined security boundary. Leviev's tool, Windows Downdate, enables the creation of custom downgrades, effectively rendering the term "fully patched" meaningless. The attack exploits a "race window" condition during the update process, allowing outdated components to load while the system believes it is using the latest versions. Additionally, the research highlights potential methods to disable Microsoft's Virtualization-based Security (VBS), which is designed to protect critical system resources. Leviev emphasizes the need for enhanced endpoint security measures to monitor downgrade procedures, as these attacks can occur even without crossing major security boundaries.
- A new method allows attackers to bypass Windows Driver Signature Enforcement.
- The exploit can downgrade kernel components, making patched systems vulnerable.
- The Windows Downdate tool facilitates the creation of custom downgrades.
- The attack exploits a timing issue during the Windows Update process.
- Enhanced endpoint security is necessary to monitor and prevent downgrade attacks.
Related
Microsoft calls for Windows changes and resilience after CrowdStrike outage
Microsoft is reconsidering security vendor access to the Windows kernel after a CrowdStrike update outage affected 8.5 million PCs, emphasizing the need for improved resilience and collaboration in security practices.
Marcus Hutchins-Microsoft claim that CrowdStrike was enabled by EU rule is false [video]
A malware expert discusses the CrowdStrike outage, misconceptions about antivirus software, and Windows security challenges, highlighting issues with kernel rootkits, ineffective measures in Vista, and UAC circumvention by malware.
About that Windows Installer 'make me admin' security hole. How it's exploited
Microsoft patched a critical Windows Installer vulnerability, CVE-2024-38014, allowing privilege escalation. SEC Consult released a tool to identify vulnerable files, urging users to apply the patch promptly.
Microsoft Says Windows Update Zero-Day Being Exploited to Undo Security Fixes
Microsoft warns of a critical vulnerability, CVE-2024-43491, in Windows 10, version 1507, exploited to reverse security fixes. Users should install specific updates. Adobe also issued patches for critical flaws.
Exploit Released for New Windows Server "WinReg" NTLM Relay Attack
A proof-of-concept exploit for Microsoft's CVE-2024-43532 vulnerability allows NTLM relay attacks, affecting Windows Server 2008-2022 and Windows 10/11, with detection methods recommended by researchers.
- Many users question the effectiveness of Microsoft's security measures, particularly regarding UAC and driver signing enforcement.
- There is a general sentiment that Windows is perceived as more vulnerable to attacks compared to other operating systems.
- Some commenters express frustration over the complexity and resources required for compliance with Microsoft's security protocols.
- Several users highlight the simplicity of the attack method, suggesting it points to deeper design flaws in the OS.
- There are mixed feelings about the implications of the vulnerability, with some seeing potential for misuse while others note possible benefits in bypassing restrictions.
12 commentsThen they say admin to kernel (in this case) isn’t a security boundary.
While also saying that driver signing enforcement is a security feature.
Which is what’s being bypassed here.
But they claim in this case it’s not crossing a security boundary.
Please make sense.
(UAC is marginally better than sudo: UAC is system managed UI, while sudo is just a program. An attacker can plug in a malicious shell alias for sudo and steal your password.)
IMHO, it'd be more convenient for users and more reflective of actual security posture to get rid of both sudo and UAC (in the default setup of course) and stop pretending that there's a firm security boundary between root and the primary human local user account.
It's worth noting that Linux just got rid of its last vestige of mandatory locking. Now you can write a loaded executable without getting EBUSY. Interesting how exactly the same feature on one OS can be a load bearing part of the security infrastructure and on another OS legacy crud to be deleted.
See also Raymond Chen's summary of this class of attack:
https://devblogs.microsoft.com/oldnewthing/20060508-22/?p=31...
Is the root cause here an OS design issue or just a process failure where they failed to note the broken/bad hashes in the correct spot? The latter is much easier to fix, but the (slightly spun, as always) security announcement seems to claim the former.
In that Vimeo account there are ton of other security discoveries. Eg WhatsApp running python script. Is this real or scam?
[2] https://www.verizon.com/business/en-nl/products/security/man...
> possible by gaining kernel code execution as an administrator
> The researcher published a tool called Windows Downdate
K.
edit: VPN, ssh -D to vps & socks5 localhost worked. Can't have anything anymore.
Related
Microsoft calls for Windows changes and resilience after CrowdStrike outage
Microsoft is reconsidering security vendor access to the Windows kernel after a CrowdStrike update outage affected 8.5 million PCs, emphasizing the need for improved resilience and collaboration in security practices.
Marcus Hutchins-Microsoft claim that CrowdStrike was enabled by EU rule is false [video]
A malware expert discusses the CrowdStrike outage, misconceptions about antivirus software, and Windows security challenges, highlighting issues with kernel rootkits, ineffective measures in Vista, and UAC circumvention by malware.
About that Windows Installer 'make me admin' security hole. How it's exploited
Microsoft patched a critical Windows Installer vulnerability, CVE-2024-38014, allowing privilege escalation. SEC Consult released a tool to identify vulnerable files, urging users to apply the patch promptly.
Microsoft Says Windows Update Zero-Day Being Exploited to Undo Security Fixes
Microsoft warns of a critical vulnerability, CVE-2024-43491, in Windows 10, version 1507, exploited to reverse security fixes. Users should install specific updates. Adobe also issued patches for critical flaws.
Exploit Released for New Windows Server "WinReg" NTLM Relay Attack
A proof-of-concept exploit for Microsoft's CVE-2024-43532 vulnerability allows NTLM relay attacks, affecting Windows Server 2008-2022 and Windows 10/11, with detection methods recommended by researchers.