Threat actors could leverage the Windows Update takeover flaw, tracked as CVE-2024-38202, to bring back the Driver Signature Enforcement bypass dubbed "ItsNotASecurityBoundary" even in patched machines, according to SC Media.
The bypass could then be leveraged to facilitate unsigned kernel driver loading and the eventual distribution of rootkits that could deactivate security controls and conceal malicious activity, a report from SafeBreach showed. Microsoft has emphasized ongoing efforts to strengthen defenses against downdate attacks.
"We are actively developing mitigations to protect against these risks while following an extensive process involving a thorough investigation, update development across all affected versions, and compatibility testing, to ensure maximized customer protection with minimized operational disruption," said a Microsoft spokesperson.
Meanwhile, Keeper Security Senior Director of Engineering Jim Edwards noted that this development highlighted increasingly sophisticated attack techniques amid evolving security defenses.
"A zero-trust security model and privileged access management can help reduce these risks by enforcing strict authentication and authorization, even for administrators," Edwards added.
