Microsoft will not fix a vulnerability affecting all PC and server versions of Windows that allows an attacker to stage an assault from Safe Mode despite security researchers labelling the flaw a “significant risk” to users.
A team at Cyberark say that if perimeter security measures are breached, an attacker could escalate local administrator privileges to force a system to load in Safe Mode, which by default deactivates third party software not deemed critical to Windows – including security applications.
Once one system is compromised, it can attack others on the same network.
Researchers say breaching the perimeter and compromising at least one Windows system is “fairly easy”, but Microsoft won’t acknowledge its findings as a vulnerability because at least one other flaw would have to be exploited.
Safe Mode could be dressed up to look like Normal Mode and by waiting for the next reboot to occur and users would be none the wiser.
“To remotely force a Windows-based machine into Safe Mode during the next reboot, attackers can use BCDEdit to configure the system to boot in Minimal Safe Mode,” continued Naim. “Once this change is made, the machine will – by default – boot in Minimal Safe Mode, which is the default Safe Mode boot option that runs only the minimal drivers and services needed to start Windows and prevents connections to the Internet and network.
“Remember that, by design, Safe Mode loads only a minimal set of drivers and tools. To gain a presence in Safe Mode, the attacker must somehow enable his or her attack tools to run in this lean state.
“Since most endpoint security solutions are not effective in Minimal Safe Mode, these attack tools can easily evade endpoint security measures. In this state, the attacker is able to freely use his or her tools to steal credentials from LSASS.exe and then reuse those credentials to continue the attack path of lateral movement and privilege escalation.”
The issue even affects Windows 10 despite the presence of Microsoft Virtual Secure Module (VSM), which is designed to limit attack tools but only works at the endpoint level and not in Safe Mode.
Cyberark recommends businesses use security tools that work in Safe Mode and remove local admin privileges from standard users in a bid to mitigate the threat. IT departments should also monitor the use of Safe Mode within their networks.
TechWeekEurope has contacted Microsoft for further information and will update this article if we receive a response.
SoftBank has agreed a funding deal that will see OpenAI being provided with up to…
Tesla sales have plummeted to lowest level in three years, as deliveries of new EVs…
New addition. Next generation foundation model, as Amazon Nova model launches to perform actions within…
Head of artificial intelligence research at Meta Platforms has announced she is leaving the social…
No decision yet, after media reports CK Hutchison was to spin off its global telecom…
Ahead of 5 April deadline, Trump is to hold White House meeting over possible investors…
View Comments
Not suprised Microsoft are not interested, it's rather a non issue. Since the computer would have to be severely compromised before you could even start to do this, if it did happen you'd have far bigger concerns.
"if perimeter security measures are breached, an attacker could escalate local administrator privileges to force a system to load in Safe Mode".... yeah, but at this stage you could pretty much do whatever you want. But, how would you do this in the first place?
It's a bit like saying car security is flawed, because if you hand over your keys they could open it and drive it away....