![]() ![]() The catch: It requires existing code signing certificates that expired before or were issued before that date and were never revoked. They developed a method that is now implemented and available in open-source tools. Hackers figured out that this last exception could be abused if they found a way to sign new drivers and then alter the signature timestamp so it appeared to Windows that the certificate was signed in the past, before July 29, 2015. However, to accommodate existing drivers during the transition period, this policy came with three exceptions: for drivers deployed on an older version of Windows that was upgraded in place to Windows 10, for drivers deployed when Secure Boot is disabled in BIOS, and for drivers that were signed with a valid user certificate before July 29, 2015, if the certificate had been issued by a certificate authority trusted in Windows. ![]() Starting with Windows 10 version 1607, Microsoft went even further and started requiring all kernel drivers to be signed not by a third-party CA, but through its own Developer Program. While this didn’t completely put a stop to malicious drivers, it raised the bar, because obtaining a code signing certificate from a CA is not cheap and involves identity verification. Security software often relies on drivers as well to implement some of its features.Īttackers have historically taken advantage of the power of drivers, too, by creating malicious drivers to deploy powerful rootkits, but starting with Windows Vista, Microsoft began cracking down on this abuse by requiring all kernel-mode drivers to be digitally signed by a certificate authority (CA). They can also be used to implement powerful features in software programs, such as virtualization, file wiping, or disk encryption. Kernel drivers are powerful pieces of code because they run in the most privileged area of the operating system, often facilitating communication between the OS itself and the hardware components installed in the computer: network cards, graphics cards, storage drives, sound cards, USB devices and so on. “These advantages provide a significant incentive for attackers to discover ways to bypass the Windows driver signature policies.” Exceptions to the Windows driver policy ![]() “From an attacker’s perspective, the advantages of leveraging a malicious driver include, but are not limited to, evasion of endpoint detection, the ability to manipulate system and user mode processes, and maintained persistence on an infected system,” researchers from Cisco Talos said in a report. This technique has been automated and used to defeat anti-cheating and digital rights management (DRM) features in games and more recently to deploy highly persistent malware. A loophole in a core Windows security mechanism that requires all kernel drivers to be digitally signed by Microsoft allows attackers to forge signatures on maliciously modified drivers. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |