Windows kernel components can be installed to bypass defense systems

3 weeks ago

A female sitting successful a chair looking astatine a Windows 11 laptop

(Image credit: Microsoft)

Experts person uncovered a method allowing cybercriminals to bypass Windows information features specified arsenic Driver Signature Enforcement (DSE), and frankincense instal rootkits connected afloat updated systems.

A study from cybersecurity interrogator Alon Leviev of SafeBreach claims nan onslaught is imaginable by downgrading definite Windows kernel components.

By taking complete nan Windows Update process, crooks tin adhd outdated, susceptible package components, making a strategy look “fully patched” moreover though it isn’t. Apparently, moreover full-patched Windows 11 devices tin beryllium targeted this way.

Rising sophistication

The interrogator claims to person reported this rumor to Microsoft, but nan package elephantine didn’t hole it, saying it didn’t break a “security boundary” since an attacker would already request administrator access.

Leviev demonstrated nan rumor astatine nan Black Hat and DEF CON 2024 events, and shared a tool, Windows Downdate, which allows creating downgrades that reopen aged vulnerabilities.

He claimed to person managed to downgrade patched components connected Windows 11, bring backmost nan DSE bypass and alteration nan usage of unsigned drivers. As a result, he was capable to instal rootkits that tin move disconnected information software, hide malicious activity, and more.

In his attack, Leviev replaced a cardinal Windows record called ci.dll pinch an unpatched version. After replacing nan file, nan strategy needs a restart, which makes it look for illustration a normal update. Leviev besides demonstrated methods to disable aliases bypass Virtualization-Based Security (VBS) by modifying circumstantial settings and files, further weakening protections connected nan system.

Sign up to nan TechRadar Pro newsletter to get each nan apical news, opinion, features and guidance your business needs to succeed!

Microsoft is now moving connected a fix, to artifact outdated strategy files and forestall downgrade attacks, however, nan merchandise day is not yet set, arsenic protecting against these issues apparently requires observant testing to forestall strategy disruptions.

Until then, Leviev advises organizations to show for downgrade attacks.

Via BleepingComputer

More from TechRadar Pro

Email threats are becoming much vulnerable than ever — truthful support an oculus connected your inbox
Here's a database of nan best firewalls today
These are nan best endpoint protection tools correct now

Sead is simply a seasoned freelance journalist based successful Sarajevo, Bosnia and Herzegovina. He writes astir IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, information breaches, laws and regulations). In his career, spanning much than a decade, he’s written for galore media outlets, including Al Jazeera Balkans. He’s besides held respective modules connected contented penning for Represent Communications.

Source Technology