Security News > 2023 > July > Cisco Talos Reports Microsoft Windows Policy Loophole Being Exploited by Threat Actor

Cisco Talos Reports Microsoft Windows Policy Loophole Being Exploited by Threat Actor
2023-07-11 19:09

Learn how a malicious driver exploits a loophole in the Windows operating system to run at kernel level.

Cisco Talos discovered a new Microsoft Windows policy loophole that allows a threat actor to sign malicious kernel-mode drivers executed by the operating system.

The threat actor takes advantage of a specific compatibility policy from Microsoft to enable the signing of malicious kernel-mode drivers.

Microsoft Windows operating systems handle two kinds of drivers: user-mode drivers and kernel-mode drivers.

From Windows 10 version 1607 on, Microsoft updated the signing policy to no longer allow new kernel-mode drivers that have not been submitted to and signed by its Developer Portal.

A loophole exists here in the way a newly compiled driver can be "Signed with non-revoked certificates issued prior or expired before July 29th 2015, provided that the certificate chains to a supported cross-signed CA," as written by Cisco Talos.


News URL

https://www.techrepublic.com/article/cisco-talos-windows-policy-loophole/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 365 50 1369 2820 161 4400
Cisco 2046 21 1773 1669 288 3751