Security News > 2023 > July > Cisco Talos Reports Microsoft Windows Policy Loophole Being Exploited by Threat Actor
Learn how a malicious driver exploits a loophole in the Windows operating system to run at kernel level.
Cisco Talos discovered a new Microsoft Windows policy loophole that allows a threat actor to sign malicious kernel-mode drivers executed by the operating system.
The threat actor takes advantage of a specific compatibility policy from Microsoft to enable the signing of malicious kernel-mode drivers.
Microsoft Windows operating systems handle two kinds of drivers: user-mode drivers and kernel-mode drivers.
From Windows 10 version 1607 on, Microsoft updated the signing policy to no longer allow new kernel-mode drivers that have not been submitted to and signed by its Developer Portal.
A loophole exists here in the way a newly compiled driver can be "Signed with non-revoked certificates issued prior or expired before July 29th 2015, provided that the certificate chains to a supported cross-signed CA," as written by Cisco Talos.
News URL
https://www.techrepublic.com/article/cisco-talos-windows-policy-loophole/
Related news
- Microsoft fixes Windows Sysprep issue behind 0x80073cf2 errors (source)
- Recent Windows updates break Microsoft Connected Cache delivery (source)
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- Microsoft now testing app ads in Windows 11's Start menu (source)
- Microsoft lifts Windows 11 block on some Intel systems after 2 years (source)
- Microsoft: Copilot ‘app’ on Windows Server mistakenly added by Edge (source)
- Microsoft Office LTSC 2024 preview available for Windows, Mac (source)
- Microsoft: APT28 hackers exploit Windows flaw reported by NSA (source)
- Microsoft: APT28 hackers exploit Windows flaw reported by NSA (source)
- BeyondTrust Report: Microsoft Security Vulnerabilities Decreased by 5% in 2023 (source)