A recent discovery by security researcher Alon Leviev reveals a new vulnerability in Windows that allows attackers to bypass the Driver Signature Enforcement (DSE) feature and deploy kernel rootkits on fully patched systems. The attack exploits the Windows Update process, introducing outdated software components on an up-to-date machine without changing its fully patched status.
Leviev demonstrated this at BlackHat and DEFCON conferences this year and published a tool called “Windows Downdate” that creates custom downgrades. This allows attackers to make a fully patched system susceptible to past vulnerabilities, rendering the term “fully patched” meaningless.
The researcher bypassed DSE by loading unsigned kernel drivers to deploy rootkit malware, disabling security controls and hiding activity that could lead to detection of the compromise. Leviev calls his method “ItsNotASecurityBoundary” due to its similarity to a previously identified exploit.
Microsoft has dismissed this issue, stating it does not cross a defined security boundary. However, Leviev’s research shows that the ability to downgrade components in the kernel makes it easier for attackers. The company is currently developing mitigations to protect against these risks and plans to release a security update to address the problem.
Until then, security solutions should monitor for and detect downgrade attacks, as they continue to pose a significant risk to organizations. Leviev’s work highlights the ongoing need for vigilance in addressing vulnerabilities in Windows kernel components.
Source: https://www.bleepingcomputer.com/news/security/new-windows-driver-signature-bypass-allows-kernel-rootkit-installs/