New Windows Driver Signature bypass allows kernel rootkit installs

Attackers can downgrade Windows kernel components to bypass security features such as Driver Signature Enforcement and deploy rootkits on fully patched systems.

This is possible by taking control of the Windows Update process to introduce outdated, vulnerable software components on an up-to-date machine without the operating system changing the fully patched status.

SafeBreach security researcher Alon Leviev reported the update takeover issue but Microsoft dismissed it saying that it did not cross a defined security boundary, although was possible by gaining kernel code execution as an administrator.

Leviev at the BlackHat and DEFCON security conferences this year demonstrated that the attack was feasible but the problem remains unfixed, leaving open the door for downgrade/version-rollback attacks.

The researcher published a tool called Windows Downdate, which allows creating custom downgrades and expose a seemingly fully update target system to already fixed vulnerabilities via outdated components, such as DLLs, drivers, and the NT kernel.

Leave a Comment