New Windows Driver Signature bypass allows kernel rootkit installs

Researcher Alon Leviev has discovered a way to downgrade Windows kernel components, allowing attackers to bypass security features like Driver Signature Enforcement and deploy rootkits on fully patched systems. Despite Microsoft’s dismissal of the issue, Leviev demonstrated at security conferences that this attack is feasible and remains unfixed. By using a tool called Windows Downdate, Leviev can make a fully patched Windows machine susceptible to past vulnerabilities through outdated components. This method, named “ItsNotASecurityBoundary” DSE bypass, exploits false file immutability flaws, allowing for arbitrary code execution with kernel privileges. Leviev’s work shows that even with improved kernel security, downgrade attacks are still possible and emphasize the importance of monitoring such procedures.

https://www.bleepingcomputer.com/news/security/new-windows-driver-signature-bypass-allows-kernel-rootkit-installs/

To top