Security News > 2023 > July

Learn how a malicious driver exploits a loophole in the Windows operating system to run at kernel level. Cisco Talos discovered a new Microsoft Windows policy loophole that allows a threat actor to sign malicious kernel-mode drivers executed by the operating system.

"Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents," Redmond said today. "An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file."

Microsoft has released the mandatory Windows 11 22H2 KB5028185 cumulative update to fix security vulnerabilities, enable the new Moment 3 features, and make over 30 improvements. KB5028185 is a mandatory Windows 11 cumulative update containing the July 2023 Patch Tuesday security updates that fix 78 vulnerabilities and thirty-eight remote code execution flaws in various Microsoft products.

Microsoft has released Windows 10 KB5028166 and KB5028168 cumulative updates for versions 22H2, version 21H2, and 1809 to fix problems and add new features to the operating system. As these updates contain security updates released as part of the July 2023 Patch Tuesday, Microsoft will automatically install the update over the next couple of days.

Today is Microsoft's July 2023 Patch Tuesday, with security updates for 132 flaws, including six actively exploited and thirty-seven remote code execution vulnerabilities. "An attacker must have local access to the targeted machine and the user must be able to create folders and performance traces on the machine, with restricted privileges that normal users have by default," warns Microsoft.

Microsoft blocked code signing certificates predominantly used by Chinese hackers and developers to sign and load malicious kernel mode drivers on breached systems by exploiting a Windows policy loophole. With Windows Vista, Microsoft introduced policy changes restricting how Windows kernel-mode drivers could be loaded into the operating system, requiring developers to submit their drivers for review and sign them through Microsoft's developer portal.

A Microsoft Windows policy loophole has been observed being exploited primarily by native Chinese-speaking threat actors to forge signatures on kernel-mode drivers. "Actors are leveraging multiple open-source tools that alter the signing date of kernel mode drivers to load malicious and unverified drivers signed with expired certificates," Cisco Talos said in an exhaustive two-part report shared with The Hacker News.

Microsoft announced today that it would change the name of its Azure Active Directory enterprise identity service to Microsoft Entra ID by the end of the year. Azure AD offers a range of security features, including single sign-on, multifactor authentication, and conditional access, with Microsoft saying it helps defend against 99.9 percent of cybersecurity attacks.

Deutsche Bank AG has confirmed to BleepingComputer that a data breach on one of its service providers has exposed its customers' data in a likely MOVEit Transfer data-theft attack. The bank said that only a limited amount of personal data was exposed due to the security incident.

Apple confirmed today that emergency security updates released on Monday to address a zero-day bug exploited in attacks also break browsing on some websites. The company advises customers who have already applied the buggy security updates to remove them if they're experiencing issues while browsing the web.