Security News

"In this instance, the PoC is a wolf in sheep's clothing, harboring malicious intent under the guise of a harmless learning tool," Uptycs researchers Nischay Hegde and Siddartha Malladi said. The repository masquerades as a PoC for CVE-2023-35829, a recently disclosed high-severity flaw in the Linux kernel.

We've given you important, interesting and informative detail about the ongoing saga of malicious kernel drivers, many of them signed and approved by Microsoft itself, that have finally been blocked by Windows. The second important item is the matter of ADV230001, Microsoft's advisory entitled Guidance on Microsoft signed drivers being used maliciously.

Microsoft announced that the latest Windows 11 build shipping to Insiders in the Canary channel comes with additional Windows Kernel components rewritten in the memory safety-focused Rust programming language. Windows GDI is an API layer that sits between user-mode applications and Windows drivers, allowing applications to request graphic output functions and have them relayed to the driver through the kernel.

Microsoft blocked code signing certificates predominantly used by Chinese hackers and developers to sign and load malicious kernel mode drivers on breached systems by exploiting a Windows policy loophole. With Windows Vista, Microsoft introduced policy changes restricting how Windows kernel-mode drivers could be loaded into the operating system, requiring developers to submit their drivers for review and sign them through Microsoft's developer portal.

A Microsoft Windows policy loophole has been observed being exploited primarily by native Chinese-speaking threat actors to forge signatures on kernel-mode drivers. "Actors are leveraging multiple open-source tools that alter the signing date of kernel mode drivers to load malicious and unverified drivers signed with expired certificates," Cisco Talos said in an exhaustive two-part report shared with The Hacker News.

Details have emerged about a newly identified security flaw in the Linux kernel that could allow a user to gain elevated privileges on a target host. Dubbed StackRot, the flaw impacts Linux versions 6.1 through 6.4.

Technical information has emerged for a serious vulnerability affecting multiple Linux kernel versions that could be triggered with "Minimal capabilities." The security issue is being referred to as StackRot and can be used to compromise the kernel and elevate privileges. StackRot impacts all kernel configurations on Linux versions 6.1 through 6.4.

Right at the start of June 2023, well-known Russian cybersecurity outfit Kaspersky reported on a previously unknown strain of iPhone malware. Typically, iPhone malware that can compromise an entire device not only violates Apple's strictures about software downloads being restricted to the "Walled garden" of Apple's own App Store, but also bypasses Apple's much vaunted app separation, which is supposed to limit the reach of each app to a "Walled garden" of its own, containing only the data collected by that app itself.

Whoever is infecting people's iPhones with the TriangleDB spyware may be targeting macOS computers with similar malware, according to Kaspersky researchers. In the security shop's ongoing analysis of the smartphone snooping campaign - during which attackers exploit a kernel vulnerability to obtain root privileges and install TriangleDB on victims' handsets - Kaspersky analysts uncovered 24 commands provided by the malware that can be used for a range of illicit activities; everything from stealing data, to tracking the victim's geolocation, and terminating processes.

Microsoft has released an optional fix to address a Kernel information disclosure vulnerability affecting systems running multiple Windows versions, including the latest Windows 10, Windows Server, and Windows 11 releases. As Microsoft explains in a support document, you must make a registry change on vulnerable Windows systems to enable the fix.