Microsoft Isn’t Patching ‘Significant’ Windows Safe Mode Flaw

Microsoft will not fix a vulnerability affecting all PC and server versions of Windows that allows an attacker to stage an assault from Safe Mode despite security researchers labelling the flaw a “significant risk” to users.

A team at Cyberark say that if perimeter security measures are breached, an attacker could escalate local administrator privileges to force a system to load in Safe Mode, which by default deactivates third party software not deemed critical to Windows – including security applications.

Once one system is compromised, it can attack others on the same network.

Researchers say breaching the perimeter and compromising at least one Windows system is “fairly easy”, but Microsoft won’t acknowledge its findings as a vulnerability because at least one other flaw would have to be exploited.

Safe Mode isn’t so safe

“This process is actually much easier than it sounds, and it can typically be done without the user noticing that anything has gone wrong,” said Doron Naim, malware research team leader at Cyberark.

Safe Mode could be dressed up to look like Normal Mode and by waiting for the next reboot to occur and users would be none the wiser.

“To remotely force a Windows-based machine into Safe Mode during the next reboot, attackers can use BCDEdit to configure the system to boot in Minimal Safe Mode,” continued Naim. “Once this change is made, the machine will – by default – boot in Minimal Safe Mode, which is the default Safe Mode boot option that runs only the minimal drivers and services needed to start Windows and prevents connections to the Internet and network.

“Remember that, by design, Safe Mode loads only a minimal set of drivers and tools. To gain a presence in Safe Mode, the attacker must somehow enable his or her attack tools to run in this lean state.

“Since most endpoint security solutions are not effective in Minimal Safe Mode, these attack tools can easily evade endpoint security measures. In this state, the attacker is able to freely use his or her tools to steal credentials from LSASS.exe and then reuse those credentials to continue the attack path of lateral movement and privilege escalation.”

The issue even affects Windows 10 despite the presence of Microsoft Virtual Secure Module (VSM), which is designed to limit attack tools but only works at the endpoint level and not in Safe Mode.

Cyberark recommends businesses use security tools that work in Safe Mode and remove local admin privileges from standard users in a bid to mitigate the threat. IT departments should also monitor the use of Safe Mode within their networks.

TechWeekEurope has contacted Microsoft for further information and will update this article if we receive a response.

Quiz: What do you know about Windows 10?

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

View Comments

  • Not suprised Microsoft are not interested, it's rather a non issue. Since the computer would have to be severely compromised before you could even start to do this, if it did happen you'd have far bigger concerns.

    "if perimeter security measures are breached, an attacker could escalate local administrator privileges to force a system to load in Safe Mode".... yeah, but at this stage you could pretty much do whatever you want. But, how would you do this in the first place?

    It's a bit like saying car security is flawed, because if you hand over your keys they could open it and drive it away....

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago