kernel drivers Archives

Tech Optimizer

October 11, 2025

Hackers Can Inject Malicious Code into Antivirus Processes to Create a Backdoor

A new cybersecurity technique allows attackers to exploit antivirus software by injecting malicious code into its processes, evading detection and compromising security. The method involves cloning protected services and hijacking cryptographic providers to create a backdoor in the antivirus installation folder. This technique takes advantage of antivirus solutions' reliance on operating system features and less-guarded auxiliary components. By exporting and importing registry keys, attackers can create a duplicate service that retains the original's configurations, allowing for the injection of malicious DLLs during service startup. An open-source tool named IAmAntimalware automates this process, successfully demonstrating the technique with various antivirus programs. To mitigate these threats, monitoring of module loads, auditing trusted certificates, and enforcing security features are recommended.

Winsage

June 26, 2025

Microsoft is moving antivirus providers out of the Windows kernel

Microsoft is preparing to initiate a private preview of new Windows changes aimed at relocating antivirus (AV) and endpoint detection and response (EDR) applications away from the Windows kernel. This initiative follows a significant incident involving a faulty update from CrowdStrike that disrupted 8.5 million Windows-based machines globally. Microsoft is collaborating with industry leaders such as CrowdStrike, Bitdefender, ESET, and Trend Micro to develop a new endpoint security platform. The company is engaging its top engineers, including original architects of Windows, to work on these security enhancements. The upcoming private preview will allow security vendors to suggest modifications, with several iterations anticipated before the final version is ready. Microsoft is also addressing concerns related to kernel-level drivers in anti-cheating engines for gaming and is engaging with game developers on minimizing kernel usage. A forthcoming Windows update will introduce a Quick Machine Recovery feature to expedite restoration of machines encountering boot issues. Additionally, Microsoft is redesigning the Blue Screen of Death (BSOD) from blue to black as part of its commitment to enhancing user experience and system reliability.

Winsage

June 26, 2025

Microsoft rolls out Windows security changes to prevent another CrowdStrike meltdown

Last summer's CrowdStrike incident caused significant disruptions in healthcare, banking, and air travel, resulting in billions of dollars in damages. In response, Microsoft held a security summit with experts from CrowdStrike and other firms to address vulnerabilities. Microsoft announced Safe Deployment practices and architectural changes to enhance Windows security, including relocating third-party security drivers from the Windows kernel to user space. This change aims to reduce risks associated with kernel-level flaws. Upcoming features in Windows 11 24H2 include a streamlined crash report process, replacing the Blue Screen of Death with an "unexpected restart" screen, and a quick machine recovery (QMR) capability to automate fixes during outages. Additionally, Windows Autopatch will allow network administrators to deploy updates with fewer required restarts for Windows 11 Enterprise PCs, limiting them to once every three months.

Winsage

March 13, 2025

WinRing0: Why Windows is flagging your PC monitoring and fan control apps as a threat

On Tuesday morning, PC gamers received unexpected alerts from Windows Defender regarding a tool called WinRing0, which raised concerns about potential security breaches. This issue affected various hardware monitoring applications, including Razer Synapse, SteelSeries Engine, and MSI Afterburner, leading to erratic computer behavior after the HackTool was quarantined. Developers noted that WinRing0, while useful for accessing hardware data, has been flagged due to security vulnerabilities. Microsoft is under pressure to tighten software access to low-level hardware, prompting scrutiny of WinRing0. Some developers labeled the detection as a "false positive," arguing that their applications are not malicious. Timothy Sun's company developed a proprietary SMBus driver to avoid WinRing0, but this transition required significant resources. WinRing0 has been patched, but challenges remain in getting a new version signed by Microsoft. iBuyPower has expressed interest in pursuing a signed update for WinRing0, while companies like Razer and SteelSeries are working to eliminate reliance on it in their software updates.

Winsage

November 19, 2024

New Windows 11 recovery tool to let admins remotely fix unbootable devices

Microsoft is introducing a feature called "Quick Machine Recovery" to help IT administrators remotely fix unbootable systems via Windows Update, following a significant outage in July 2024 caused by a problematic update to the CrowdStrike Falcon software. This outage affected various critical sectors globally, leading to issues like boot loops and the Blue Screen of Death for users. The Quick Machine Recovery feature will allow targeted fixes without physical access to the machines and is expected to roll out in early 2025 for Windows 11 Insider Program participants. Additionally, Microsoft is working with security vendors on the Microsoft Virus Initiative (MVI) to develop tools that allow security software to operate outside the Windows kernel, reducing risks associated with kernel-level access. This initiative includes adopting Safe Deployment Practices for gradual and monitored updates. A private preview of these developments will be available in July 2025. Microsoft has also launched a new Windows 11 administrator protection feature and is focusing significant resources on security challenges through its Secure Future Initiative (SFI).

Winsage

October 28, 2024

Windows ‘Downdate’ Attack Makes Patched PCs Vulnerable

Recent findings have identified a vulnerability in fully patched Windows 11 systems that allows attackers to install custom rootkits, which can bypass endpoint security and maintain persistence on compromised systems. This vulnerability is linked to a downgrade attack technique demonstrated by SafeBreach researcher Alon Leviev at Black Hat USA 2024, using an exploit tool called Windows Downdate. This tool enables an attacker with administrative access to manipulate the Windows Update process, reverting patched components to vulnerable states. Leviev's demonstration showed that even systems using virtualization-based security (VBS) are at risk, as he could downgrade VBS features and expose previously fixed privilege escalation vulnerabilities. Microsoft has patched two vulnerabilities (CVE-2024-21302 and CVE-2024-38202) but has not addressed the core issue of the downgrade capability. Microsoft maintains that the ability for an admin-level user to gain kernel code execution does not cross a security boundary. Leviev released details of a new downgrade attack on October 26, using the Windows Downdate tool to revive a driver signature enforcement bypass attack. He categorized this flaw as False File Immutability (FFI), exploiting incorrect assumptions about file immutability. He noted that downgrading specific OS modules, like CI.dll, allows exploitation even with VBS enabled. Tim Peck from Securonix highlighted that the attacks exploit Windows' failure to validate DLL version numbers properly, enabling the use of outdated, vulnerable files. Microsoft is actively developing mitigations against these risks, including a security update to revoke outdated VBS system files, although specific measures and timelines are not yet disclosed.

Winsage

October 28, 2024

Windows Update takeover lets an attacker revive a patched flaw

Microsoft's approach to security vulnerabilities has been criticized for not classifying scenarios where an attacker with administrative privileges can execute kernel-level code as critical vulnerabilities. SafeBreach researchers highlighted that this narrow definition leaves systems vulnerable to custom rootkits that can bypass essential security controls. They identified CVE-2024-21302, a privilege escalation vulnerability affecting the Windows virtualization stack, and CVE-2024-38202, which allows attackers to exploit the Windows Update process to disable security features like Driver Signature Enforcement and virtualization-based security. Microsoft is actively developing mitigations for these vulnerabilities and has released a security update for CVE-2024-38202 on October 15, with further updates planned for CVE-2024-21302.

Winsage

October 28, 2024

Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel

A newly identified attack technique poses a risk to fully patched Windows systems by circumventing Microsoft's Driver Signature Enforcement (DSE), potentially enabling operating system downgrade attacks that allow malicious actors to load unsigned kernel drivers. This vulnerability is linked to two privilege escalation flaws in the Windows update mechanism, identified as CVE-2024-21302 and CVE-2024-38202, which can be exploited to revert updated systems to earlier versions with unpatched security weaknesses. A tool called Windows Downdate can hijack the Windows Update process, facilitating undetectable downgrades of critical OS components. The exploit takes advantage of a race condition to replace a verified security catalog file with a malicious version, allowing the loading of an unsigned kernel driver. The DSE bypass can be executed by downgrading the "ci.dll" library, but can be thwarted if Virtualization-Based Security (VBS) is active on the host. Attackers can disable VBS by manipulating registry keys, and the attack fails only if VBS is enabled with a UEFI lock and a "Mandatory" flag, which prevents booting if VBS files are corrupted. Microsoft has addressed the vulnerabilities in August and October 2024.

Winsage

October 26, 2024

New Windows Driver Signature bypass allows kernel rootkit installs

SafeBreach security researcher Alon Leviev has identified a vulnerability in the Windows operating system that allows attackers to downgrade kernel components, bypassing security measures like Driver Signature Enforcement (DSE). This vulnerability enables the installation of rootkits on fully patched systems. Leviev demonstrated that attackers can manipulate the Windows Update process to introduce outdated components without altering the system's patched status. He introduced a tool called Windows Downdate, which allows the creation of custom downgrades, exposing updated systems to previously patched vulnerabilities. Leviev's method, named "ItsNotASecurityBoundary," exploits a flaw in the DSE, allowing unsigned kernel drivers to be loaded and facilitating the deployment of rootkit malware. Despite Microsoft addressing the privilege escalation aspect of this vulnerability, it does not protect against downgrade attacks. Leviev's research shows that attackers can replace the 'ci.dll' file responsible for enforcing DSE with an unpatched version during the Windows Update process, thereby circumventing protections. He also discussed methods to disable Microsoft's Virtualization-based Security (VBS), which is designed to protect critical resources, by modifying registry keys. Leviev emphasizes the need for endpoint security tools to monitor downgrade procedures to mitigate these risks.

Tech Optimizer

September 19, 2024

Microsoft summit plots end of kernel access for EDR security clients

Microsoft is considering changes to the interaction of security products with the Windows software kernel, prompted by a significant IT outage affecting CrowdStrike customers. If Microsoft restricts access to load kernel drivers, security vendors will need to redesign their products to operate with lower privileges. The impact of these changes on Microsoft's own Defender, which currently operates at the kernel level, remains uncertain.