Microsoft Isn’t Patching ‘Significant’ Windows Safe Mode Flaw

Microsoft will not fix a vulnerability affecting all PC and server versions of Windows that allows an attacker to stage an assault from Safe Mode despite security researchers labelling the flaw a “significant risk” to users.

A team at Cyberark say that if perimeter security measures are breached, an attacker could escalate local administrator privileges to force a system to load in Safe Mode, which by default deactivates third party software not deemed critical to Windows – including security applications.

Once one system is compromised, it can attack others on the same network.

Researchers say breaching the perimeter and compromising at least one Windows system is “fairly easy”, but Microsoft won’t acknowledge its findings as a vulnerability because at least one other flaw would have to be exploited.

Safe Mode isn’t so safe

“This process is actually much easier than it sounds, and it can typically be done without the user noticing that anything has gone wrong,” said Doron Naim, malware research team leader at Cyberark.

Safe Mode could be dressed up to look like Normal Mode and by waiting for the next reboot to occur and users would be none the wiser.

“To remotely force a Windows-based machine into Safe Mode during the next reboot, attackers can use BCDEdit to configure the system to boot in Minimal Safe Mode,” continued Naim. “Once this change is made, the machine will – by default – boot in Minimal Safe Mode, which is the default Safe Mode boot option that runs only the minimal drivers and services needed to start Windows and prevents connections to the Internet and network.

“Remember that, by design, Safe Mode loads only a minimal set of drivers and tools. To gain a presence in Safe Mode, the attacker must somehow enable his or her attack tools to run in this lean state.

“Since most endpoint security solutions are not effective in Minimal Safe Mode, these attack tools can easily evade endpoint security measures. In this state, the attacker is able to freely use his or her tools to steal credentials from LSASS.exe and then reuse those credentials to continue the attack path of lateral movement and privilege escalation.”

The issue even affects Windows 10 despite the presence of Microsoft Virtual Secure Module (VSM), which is designed to limit attack tools but only works at the endpoint level and not in Safe Mode.

Cyberark recommends businesses use security tools that work in Safe Mode and remove local admin privileges from standard users in a bid to mitigate the threat. IT departments should also monitor the use of Safe Mode within their networks.

TechWeekEurope has contacted Microsoft for further information and will update this article if we receive a response.

Quiz: What do you know about Windows 10?

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

View Comments

  • Not suprised Microsoft are not interested, it's rather a non issue. Since the computer would have to be severely compromised before you could even start to do this, if it did happen you'd have far bigger concerns.

    "if perimeter security measures are breached, an attacker could escalate local administrator privileges to force a system to load in Safe Mode".... yeah, but at this stage you could pretty much do whatever you want. But, how would you do this in the first place?

    It's a bit like saying car security is flawed, because if you hand over your keys they could open it and drive it away....

Recent Posts

Norway Hit By DDoS Cyber Attacks From Pro Russian Group

Norwegian national security agency warns pro-Russian group has targetted private and public institutions in Norway…

16 hours ago

Google Tells Staff They Can Relocate After Roe v Wade Ending

After US Supreme Court last week removed women's reproduction rights, Google tells staff they can…

16 hours ago

Taiwan Developing Own Digital Currency – Report

Central bank of Taiwan confirms it is still working on its digital currency, but has…

18 hours ago

Tesla Cuts 200 Autopilot Jobs, Closes San Mateo Office – Report

More restructuring at Tesla with hundreds of bob losses and California office closure, where staff…

20 hours ago

US FCC Commissioner Urges Apple, Google To Remove TikTok

Fresh worry for TikTok, after FCC Commissioner writes to Apple and Google about removing the…

20 hours ago

Airbnb Permanently Bans Parties, With Few Exceptions

Victory for irate neighbours? Airbnb confirms its temporary Covid ban on parties in its listings…

21 hours ago