No fix in sight for mile-wide loophole plaguing a key Windows defense for years Dan Goodin - 10/5/2022, 5:23 PM https://arstechnica.com/information-technology/2022/10/no-fix-in-sight-for-mile-wide-loophole-plaguing-a-key-windows-defense-for-years/ "Last week, researchers from security firm ESET revealed that about a year ago, Lazarus, a hacking group backed by the North Korean government, exploited a mile-wide loophole last year that existed in Microsoft's driver signature enforcement (DSE) from the start. The malicious documents Lazarus was able to trick targets into opening were able to gain administrative control of the target's computer, but Windows' modern kernel protections presented a formidable obstacle for Lazarus to achieve its objective of storming the kernel." "So Lazarus chose one of the oldest moves in the Windows exploitation playbook - a technique known as BYOVD, short for bring your own vulnerable driver. "
I have to say, great article from Ars Technica. I already responded in the other thread that is related to this same attack technique, perhaps the topics should be merged, see link. But M$ should be ashamed that they mentioned a mitigation option in Windows (memory integrity) that isn't actually able to block these abused drivers from running. What this article however fails to mention is that driver loading should always be monitored by behavior blockers, isn't this the whole point of an EDR? In other words, even if it's trusted driver, it should be blocked from running since it's not launched by the legitimate app. You would hope that EDRs are smart enough to figure this out, but I'm guessing they are not. https://www.wilderssecurity.com/thr...-bypasses-enormous-range-of-edr-tools.447991/
