We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

NewApp Digest
search bot

kernel drivers

WinRing0: Why Windows is flagging your PC monitoring and fan control apps as a threat
Winsage
March 13, 2025

WinRing0: Why Windows is flagging your PC monitoring and fan control apps as a threat

On Tuesday morning, PC gamers received unexpected alerts from Windows Defender regarding a tool called WinRing0, which raised concerns about potential security breaches. This issue affected various hardware monitoring applications, including Razer Synapse, SteelSeries Engine, and MSI Afterburner, leading to erratic computer behavior after the HackTool was quarantined. Developers noted that WinRing0, while useful for accessing hardware data, has been flagged due to security vulnerabilities. Microsoft is under pressure to tighten software access to low-level hardware, prompting scrutiny of WinRing0. Some developers labeled the detection as a "false positive," arguing that their applications are not malicious. Timothy Sun's company developed a proprietary SMBus driver to avoid WinRing0, but this transition required significant resources. WinRing0 has been patched, but challenges remain in getting a new version signed by Microsoft. iBuyPower has expressed interest in pursuing a signed update for WinRing0, while companies like Razer and SteelSeries are working to eliminate reliance on it in their software updates.
New Windows 11 recovery tool to let admins remotely fix unbootable devices
Winsage
November 19, 2024

New Windows 11 recovery tool to let admins remotely fix unbootable devices

Microsoft is introducing a feature called "Quick Machine Recovery" to help IT administrators remotely fix unbootable systems via Windows Update, following a significant outage in July 2024 caused by a problematic update to the CrowdStrike Falcon software. This outage affected various critical sectors globally, leading to issues like boot loops and the Blue Screen of Death for users. The Quick Machine Recovery feature will allow targeted fixes without physical access to the machines and is expected to roll out in early 2025 for Windows 11 Insider Program participants. Additionally, Microsoft is working with security vendors on the Microsoft Virus Initiative (MVI) to develop tools that allow security software to operate outside the Windows kernel, reducing risks associated with kernel-level access. This initiative includes adopting Safe Deployment Practices for gradual and monitored updates. A private preview of these developments will be available in July 2025. Microsoft has also launched a new Windows 11 administrator protection feature and is focusing significant resources on security challenges through its Secure Future Initiative (SFI).
Windows 'Downdate' Attack Makes Patched PCs Vulnerable
Winsage
October 28, 2024

Windows ‘Downdate’ Attack Makes Patched PCs Vulnerable

Recent findings have identified a vulnerability in fully patched Windows 11 systems that allows attackers to install custom rootkits, which can bypass endpoint security and maintain persistence on compromised systems. This vulnerability is linked to a downgrade attack technique demonstrated by SafeBreach researcher Alon Leviev at Black Hat USA 2024, using an exploit tool called Windows Downdate. This tool enables an attacker with administrative access to manipulate the Windows Update process, reverting patched components to vulnerable states. Leviev's demonstration showed that even systems using virtualization-based security (VBS) are at risk, as he could downgrade VBS features and expose previously fixed privilege escalation vulnerabilities. Microsoft has patched two vulnerabilities (CVE-2024-21302 and CVE-2024-38202) but has not addressed the core issue of the downgrade capability. Microsoft maintains that the ability for an admin-level user to gain kernel code execution does not cross a security boundary. Leviev released details of a new downgrade attack on October 26, using the Windows Downdate tool to revive a driver signature enforcement bypass attack. He categorized this flaw as False File Immutability (FFI), exploiting incorrect assumptions about file immutability. He noted that downgrading specific OS modules, like CI.dll, allows exploitation even with VBS enabled. Tim Peck from Securonix highlighted that the attacks exploit Windows' failure to validate DLL version numbers properly, enabling the use of outdated, vulnerable files. Microsoft is actively developing mitigations against these risks, including a security update to revoke outdated VBS system files, although specific measures and timelines are not yet disclosed.
Windows Update takeover lets an attacker revive a patched flaw
Winsage
October 28, 2024

Windows Update takeover lets an attacker revive a patched flaw

Microsoft's approach to security vulnerabilities has been criticized for not classifying scenarios where an attacker with administrative privileges can execute kernel-level code as critical vulnerabilities. SafeBreach researchers highlighted that this narrow definition leaves systems vulnerable to custom rootkits that can bypass essential security controls. They identified CVE-2024-21302, a privilege escalation vulnerability affecting the Windows virtualization stack, and CVE-2024-38202, which allows attackers to exploit the Windows Update process to disable security features like Driver Signature Enforcement and virtualization-based security. Microsoft is actively developing mitigations for these vulnerabilities and has released a security update for CVE-2024-38202 on October 15, with further updates planned for CVE-2024-21302.
Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel
Winsage
October 28, 2024

Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel

A newly identified attack technique poses a risk to fully patched Windows systems by circumventing Microsoft's Driver Signature Enforcement (DSE), potentially enabling operating system downgrade attacks that allow malicious actors to load unsigned kernel drivers. This vulnerability is linked to two privilege escalation flaws in the Windows update mechanism, identified as CVE-2024-21302 and CVE-2024-38202, which can be exploited to revert updated systems to earlier versions with unpatched security weaknesses. A tool called Windows Downdate can hijack the Windows Update process, facilitating undetectable downgrades of critical OS components. The exploit takes advantage of a race condition to replace a verified security catalog file with a malicious version, allowing the loading of an unsigned kernel driver. The DSE bypass can be executed by downgrading the "ci.dll" library, but can be thwarted if Virtualization-Based Security (VBS) is active on the host. Attackers can disable VBS by manipulating registry keys, and the attack fails only if VBS is enabled with a UEFI lock and a "Mandatory" flag, which prevents booting if VBS files are corrupted. Microsoft has addressed the vulnerabilities in August and October 2024.
New Windows Driver Signature bypass allows kernel rootkit installs
Winsage
October 26, 2024

New Windows Driver Signature bypass allows kernel rootkit installs

SafeBreach security researcher Alon Leviev has identified a vulnerability in the Windows operating system that allows attackers to downgrade kernel components, bypassing security measures like Driver Signature Enforcement (DSE). This vulnerability enables the installation of rootkits on fully patched systems. Leviev demonstrated that attackers can manipulate the Windows Update process to introduce outdated components without altering the system's patched status. He introduced a tool called Windows Downdate, which allows the creation of custom downgrades, exposing updated systems to previously patched vulnerabilities. Leviev's method, named "ItsNotASecurityBoundary," exploits a flaw in the DSE, allowing unsigned kernel drivers to be loaded and facilitating the deployment of rootkit malware. Despite Microsoft addressing the privilege escalation aspect of this vulnerability, it does not protect against downgrade attacks. Leviev's research shows that attackers can replace the 'ci.dll' file responsible for enforcing DSE with an unpatched version during the Windows Update process, thereby circumventing protections. He also discussed methods to disable Microsoft's Virtualization-based Security (VBS), which is designed to protect critical resources, by modifying registry keys. Leviev emphasizes the need for endpoint security tools to monitor downgrade procedures to mitigate these risks.
Microsoft summit plots end of kernel access for EDR security clients
Tech Optimizer
September 19, 2024

Microsoft summit plots end of kernel access for EDR security clients

Microsoft is considering changes to the interaction of security products with the Windows software kernel, prompted by a significant IT outage affecting CrowdStrike customers. If Microsoft restricts access to load kernel drivers, security vendors will need to redesign their products to operate with lower privileges. The impact of these changes on Microsoft's own Defender, which currently operates at the kernel level, remains uncertain.
CrowdStrike—How Microsoft Will Protect 8.5 Million Windows Machines
Winsage
July 29, 2024

CrowdStrike—How Microsoft Will Protect 8.5 Million Windows Machines

A CrowdStrike update caused the crashing of millions of Windows machines, leading Microsoft to release an analysis of the incident. CrowdStrike identified a bug in its software as the cause and committed to improving its quality assurance processes. Microsoft confirmed that the issue was a read-out-of-bounds memory safety error in the CSagent.sys driver. Microsoft explained the importance of kernel drivers for security products, noting their role in system-wide visibility and performance, but also acknowledged the complexities and risks associated with kernel-level operations. Following the incident, Microsoft proposed four steps to enhance Windows security, including safe rollout guidance, reducing kernel driver access, improving isolation and anti-tampering capabilities, and implementing zero trust approaches.
Search