Cisco Talos reports that a vulnerability has been found in Windows policy. The vulnerability is actively exploited.

Security company Cisco Talos has uncovered a loophole in Windows policies. Their report also states that the vulnerability is being actively exploited by attackers.

The problem

The vulnerability allows loading and signing of cross-signed kernel-mode drivers with a timestamp prior to July 29, 2015. Attackers use various open-source tools to change the timestamp of kernel-mode drivers, and then malicious and unauthenticated ones Install drivers with expired certificates to upload .

Cisco Talos has also discovered an open source tool that attackers can use to exploit a broken driver Digital Rights Management (DRM).

Like China in your hands

Most of the drivers identified by Cisco Talos (part of Cisco Systems) contain a Simplified Chinese language code in their metadata. The tools used are also commonly used by people who speak Chinese. That would indicate some involvement.

Cisco Talos researchers also discovered a malicious driver called RedDriver, about which they wrote a separate report. This driver mainly targets internet cafes and people who speak Chinese.

Answer Microsoft

Microsoft was promptly informed by Cisco Talos. They have revoked all certificates mentioned in the report and published a security advisory.

In any case, this study confirms Cisco’s ambition to become more of a network expert. Then, of course, the company still has to work on its own mistakes.