Microsoft Isn’t Patching ‘Significant’ Windows Safe Mode Flaw

Steve McCaskill,

Researchers say Windows 10 Safe Mode flaw is easy to exploit but Microsoft doesn’t acknowledge it as a primary threat

Microsoft will not fix a vulnerability affecting all PC and server versions of Windows that allows an attacker to stage an assault from Safe Mode despite security researchers labelling the flaw a “significant risk” to users.

A team at Cyberark say that if perimeter security measures are breached, an attacker could escalate local administrator privileges to force a system to load in Safe Mode, which by default deactivates third party software not deemed critical to Windows – including security applications.

Once one system is compromised, it can attack others on the same network.

Researchers say breaching the perimeter and compromising at least one Windows system is “fairly easy”, but Microsoft won’t acknowledge its findings as a vulnerability because at least one other flaw would have to be exploited.

Safe Mode isn’t so safe

Windows 10 Upgrade“This process is actually much easier than it sounds, and it can typically be done without the user noticing that anything has gone wrong,” said Doron Naim, malware research team leader at Cyberark.

Safe Mode could be dressed up to look like Normal Mode and by waiting for the next reboot to occur and users would be none the wiser.

“To remotely force a Windows-based machine into Safe Mode during the next reboot, attackers can use BCDEdit to configure the system to boot in Minimal Safe Mode,” continued Naim. “Once this change is made, the machine will – by default – boot in Minimal Safe Mode, which is the default Safe Mode boot option that runs only the minimal drivers and services needed to start Windows and prevents connections to the Internet and network.

“Remember that, by design, Safe Mode loads only a minimal set of drivers and tools. To gain a presence in Safe Mode, the attacker must somehow enable his or her attack tools to run in this lean state.

“Since most endpoint security solutions are not effective in Minimal Safe Mode, these attack tools can easily evade endpoint security measures. In this state, the attacker is able to freely use his or her tools to steal credentials from LSASS.exe and then reuse those credentials to continue the attack path of lateral movement and privilege escalation.”

The issue even affects Windows 10 despite the presence of Microsoft Virtual Secure Module (VSM), which is designed to limit attack tools but only works at the endpoint level and not in Safe Mode.

Cyberark recommends businesses use security tools that work in Safe Mode and remove local admin privileges from standard users in a bid to mitigate the threat. IT departments should also monitor the use of Safe Mode within their networks.

TechWeekEurope has contacted Microsoft for further information and will update this article if we receive a response.

Quiz: What do you know about Windows 10?