Microsoft waited 6 months to patch actively exploited admin-to-kernel vulnerability (www.theregister.com)
from ylai@lemmy.ml to cybersecurity@infosec.pub on 12 Mar 2024 17:44
https://lemmy.ml/post/13086277

#cybersecurity

threaded - newest

SpaceNoodle@lemmy.world on 12 Mar 2024 18:08 collapse

It they’ve already got admin privileges, you’re already fucked.

jlh@lemmy.jlh.name on 12 Mar 2024 18:24 collapse

Other OSes like Linux try to maintain this security boundary, though: www.man7.org/linux/…/kernel_lockdown.7.html

SpaceNoodle@lemmy.world on 12 Mar 2024 19:04 next collapse

That’s just a criticism of the Windows kernel.

[deleted] on 12 Mar 2024 20:43 collapse
.
jlh@lemmy.jlh.name on 13 Mar 2024 01:10 collapse

You might be right. I think that the Linux kernel doesn’t have an ABI though, so I believe the driver has to be built for the current version of the kernel. I think the idea is also that the driver is signed by the distro, not Microsoft, so the risk of random drivers getting signed accidentally is probably much lower.

erev@lemmy.world on 13 Mar 2024 01:56 collapse

depends, they can also loaded via dkms which may not require it

[deleted] on 13 Mar 2024 11:52 next collapse
.
erev@lemmy.world on 13 Mar 2024 19:14 collapse

It kinda depends, on custom kernels DKMS can be incredibly helpful. Like for a hardened kernel, a lot of drivers may be loaded via DKMS.

jlh@lemmy.jlh.name on 13 Mar 2024 14:09 collapse

Yeah, it actually looks like Ubuntu leaves the module signing key accessible to root on the filesystem:

wiki.ubuntu.com/UEFI/SecureBoot#Security_implicat…

So root access basically gives you kernel access, if you just sign a malicious kernel module with the MOK.