We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

NewApp Digest
search bot

Windows kernel components can be installed to bypass defense systems

October 28, 2024

In a significant revelation, cybersecurity experts have identified a method that enables cybercriminals to circumvent Windows security features, notably Driver Signature Enforcement (DSE). This vulnerability allows for the installation of rootkits on systems that are otherwise fully updated. Alon Leviev, a cybersecurity researcher from SafeBreach, has detailed this alarming capability in a recent report.

According to Leviev, the exploit hinges on the ability to downgrade specific Windows kernel components, making devices running Windows 11 particularly susceptible. Despite reporting the issue to Microsoft, the tech giant has not yet implemented a fix. Microsoft’s response indicated that the vulnerability does not breach a “security boundary,” as an attacker would already require administrator access to exploit it.

Rising sophistication

Leviev showcased this vulnerability at the Black Hat and DEF CON 2024 conferences, introducing a tool named Windows Downdate. This tool facilitates the creation of downgrades that can reactivate previously patched vulnerabilities. In his demonstration, Leviev successfully downgraded certain components on Windows 11, reinstating the DSE bypass and allowing the use of unsigned drivers. This process enabled him to install rootkits capable of disabling security software and concealing malicious activities.

One of the critical steps in Leviev’s attack involved replacing a vital Windows file, ci.dll, with an unpatched version. This alteration necessitates a system restart, cleverly disguising the action as a routine update. Furthermore, Leviev illustrated techniques to disable or bypass Virtualization-Based Security (VBS) by altering specific settings and files, thereby further compromising the system’s defenses.

In response to these findings, Microsoft is actively working on a solution to block outdated system files and prevent such downgrade attacks. However, the timeline for the release of this fix remains uncertain, as ensuring robust protection against these vulnerabilities requires thorough testing to avoid potential disruptions to system functionality. Until a resolution is implemented, Leviev recommends that organizations remain vigilant and monitor for signs of downgrade attacks.

Winsage
Windows kernel components can be installed to bypass defense systems