Microsoft waited 6 months to patch actively exploited admin-to-kernel vulnerability Cybersecurity researchers informed Microsoft that Notorious North Korean hackers Lazarus Group discovered the "holy grail" of rootkit vulnerabilities in Windows last year, but Redmond still took six months to patch the problem. Researchers at Avast said they informed Microsoft of a serious admin-to-kernel exploit in a driver …
The problem is triaging an exploit like this. Sure, you can say that in general if the attacker's code is already running in some sense in the TCB then there's nowhere to go in terms of privilege escalation. But if, say, the attacker has a data-based attack against existing TCB code, rather than their own code in the TCB, then arbitrary code execution in the kernel is most definitely an escalation. Or if the attacker is otherwise limited to what they can do within the TCB but can escalate that to arbitrary execution through a chained vulnerability, and so on.
It's the same way with other data-based exploits. Take, oh, HTTP response splitting. At first blush you're just corrupting an HTTP response and producing invalid data, but with a bit of effort you can get the recipient to do quite a few things that are valuable to an attacker.
Rules of thumb for evaluating vulnerabilities are just that. Often they give a good approximation of the risk; occasionally they fail.
To be fair, if you are running with admin access can't you just install your own driver?
Although I guess in theory you'd need to pay £20 to create a shell company and £250 or whatever it is these days to get a code signing certificate. Which protects us from North Korea, because sanctions mean it's illegal for them to do this...
This post has been deleted by its author
That just happened last year.
We also have last month's Azure breach, for example, which was against Microsoft systems, even if it didn't focus on Microsoft data.
Microsoft is certainly a constant target. Any organization of any significant size is.
KB5034441: Windows Recovery Environment update for Windows 10, version 21H2 and 22H2: January 9, 2024
It still fails on a huge fraction of PCs with error 0x80070643, even on machines without recovery partitions, and Microsoft's incompetent updater folks still haven't fixed the patch or created a replacement. Makes you wonder if the Norks pay Microsoft to keep flaws open.
So it's a Windows 10 issue, maybe with some Windows 11 access too, but unlikely to have any connection to older versions of Windows. Hackers (and our security checkers) are all working with current versions of operating systems on the new computers that the hackers and everyone else has had to buy these days.
Will this result in a new version of Windows in a while that required everyone to buy a "more secure" hardware CPU system? Since updates result in users buying new systems, the updates makes Microsoft more money, and the hackers are having to buy new computers too ... more money for Microsoft and computer manufacturers from all sides so hacking "helps" the industry.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
