Microsoft will not fix a vulnerability affecting all PC and server versions of Windows that allows an attacker to stage an assault from Safe Mode despite security researchers labelling the flaw a “significant risk” to users.
A team at Cyberark say that if perimeter security measures are breached, an attacker could escalate local administrator privileges to force a system to load in Safe Mode, which by default deactivates third party software not deemed critical to Windows – including security applications.
Once one system is compromised, it can attack others on the same network.
Researchers say breaching the perimeter and compromising at least one Windows system is “fairly easy”, but Microsoft won’t acknowledge its findings as a vulnerability because at least one other flaw would have to be exploited.
Safe Mode could be dressed up to look like Normal Mode and by waiting for the next reboot to occur and users would be none the wiser.
“To remotely force a Windows-based machine into Safe Mode during the next reboot, attackers can use BCDEdit to configure the system to boot in Minimal Safe Mode,” continued Naim. “Once this change is made, the machine will – by default – boot in Minimal Safe Mode, which is the default Safe Mode boot option that runs only the minimal drivers and services needed to start Windows and prevents connections to the Internet and network.
“Remember that, by design, Safe Mode loads only a minimal set of drivers and tools. To gain a presence in Safe Mode, the attacker must somehow enable his or her attack tools to run in this lean state.
“Since most endpoint security solutions are not effective in Minimal Safe Mode, these attack tools can easily evade endpoint security measures. In this state, the attacker is able to freely use his or her tools to steal credentials from LSASS.exe and then reuse those credentials to continue the attack path of lateral movement and privilege escalation.”
The issue even affects Windows 10 despite the presence of Microsoft Virtual Secure Module (VSM), which is designed to limit attack tools but only works at the endpoint level and not in Safe Mode.
Cyberark recommends businesses use security tools that work in Safe Mode and remove local admin privileges from standard users in a bid to mitigate the threat. IT departments should also monitor the use of Safe Mode within their networks.
TechWeekEurope has contacted Microsoft for further information and will update this article if we receive a response.
German foreign minister warns Russia will face consequences for “absolutely intolerable” cyberattack on ruling party,…
Google is reportedly laying off at least 200 staff from its “Core” organisation, including key…
Investor appeasement? Apple unveils huge $110 billion share buyback program, as sales of iPhone decline…
Tesla retreats from pioneering gigacasting manufacturing process, amid cost cutting and challenges at EV giant
No skynet please. After the US, UK and France pledge human only control of nuclear…
Microsoft's AI investments continue in south east Asia, after investments in Japan, Malaysia, Indonesia, as…
View Comments
Not suprised Microsoft are not interested, it's rather a non issue. Since the computer would have to be severely compromised before you could even start to do this, if it did happen you'd have far bigger concerns.
"if perimeter security measures are breached, an attacker could escalate local administrator privileges to force a system to load in Safe Mode".... yeah, but at this stage you could pretty much do whatever you want. But, how would you do this in the first place?
It's a bit like saying car security is flawed, because if you hand over your keys they could open it and drive it away....