November 30, 2023

A security researcher has discovered a bug in PatchGuard a crucial Windows security feature that can allow threat actors to load unsigned (malicious) code into the Windows operating system kernel. remains unfixed

PatchGuard

Microsoft Kernel Patch Protection (KPP) but more commonly known as PatchGuard, this security feature made its way into the Windows OS in 2005, when Microsoft launched the 64-bit editions of Windows XP Professional and Windows Server 2003. All 64bit version of Windows comes with KPP support foundation to the ecosystem.Earlier days it was developed to prevent kernel patching

Kernel patching is where low-level apps tap into the core of the Windows OS, known as the kernel, and modify its structure to allow the app to run its operations with the highest level of privileges, known as kernel mode.

Microsoft decided to stomp on this tactic and took the opportunity to add a series of checks and defenses to the kernel, which eventually became known as KPP or PatchGuard.

PatchGuard is just one of an entire arsenal of security features that makes hacking Windows operating systems much harder, and especially Windows 10. But ways are found by researchers to bypass it

Techniques like GhostHook, InfinityHook, and ByePg were disclosed in 2017 and 2019, all allowing threat actors a slip through the PatchGuard cracks and tap into the kernel via a legitimate function and then modify its internal structure. Recent is Kento’s bypass

When the malware wants to register a callback routine function that mapped in their unsigned code kernel virtual address, that usually not possible at all with legitimate ways. To bypass all require that the attacker’s code runs with admin privileges, so it can perform the illicit kernel patch.

This requirement is what made Microsoft ignore all the three previous reports, with the company arguing that once an attacker has admin rights on a Windows system, it is game over, and any attack escalation is possible.

Microsoft did eventually patch the three PatchGuard bypasses months after they became public, years later, their classification of PatchGuard bypasses as a security non-issue is now having repercussions.

Microsoft still values PatchGuard and is committed to fixing these flaws, the OS maker has historically ignored bug reports like these, which has led to situations where a PatchGuard bypass is now broadly available in the public domain again

Tags:

Leave a Reply

You may have missed

BlueVoyant Acquires Conquest Cyber

November 30, 2023

Google Fixes Sixth Chrome ZeroDay of 2023

November 29, 2023

Ardent Health Services affected by a cyber incident

November 29, 2023

GE and DARPA – Claimed Hack raises concerns

November 28, 2023

POC released for Splunk Enterprise Vulnerability- CVE-2023-46214

November 28, 2023

AWS Detective adds new Capabilities

November 27, 2023
%d bloggers like this: