The method of this attack was rated by the researchers as a method that is not common, and focuses attention on a tool used to fix the problems on your PC and remove security threats. Researchers also cited that they have created a number of proof of concept attacks that take advantage of Windows Safe Mode tool as an attack vector. According to the security researchers, for a successful attack, the attacker will need to first gain access to the local administrator privileges on a computer or server running Windows. Then an attacker could remotely activate the safe mode to bypass the protection. In safe mode, the offender can run a variety of tools to collect credentials and compromise other computers on the network without being noticed at all times. As the security researcher, Doron Naim said that this method works on all versions of Windows, including Windows 10, despite the presence of Microsoft’s Virtual Secure Module (VSM). As we all know that the Safe Mode feature in Windows, loads only essential services and functions necessary to run Windows and blocks the launch of third-party services and programs, including security tools. As a result, attackers can remotely run safe mode on a compromised computer and then carry out the attack very easily. Furthermore, the attacker can also use the techniques, such as the COM object which is dangerous. The COM object technique is used to execute code that will change the background, look and feel of Safe Mode, hence, making the Windows Safe Mode appear like the user is still in Normal Mode. Given Windows’ ability to allow the applications to help users to restart PCs, hackers can hold this process to secretly restart systems in Safe Mode. As it shows that due to these easy feature billions of computers and servers are threatened on the basis of this operating system all over the world, said Doron Naim. Successful exploitation of the problem involves three steps: Change the settings to activate the safe mode for the next time when you load the operating system, the creation of malicious tools for loading in Safe mode, and the implementation of the forced reboot your computer to exploit the vulnerability. Furthermore, the information security company CyberArk researchers confirmed that they have notified Microsoft about the issues. However, the tech giant Microsoft still not acted on it, as it does not consider this to be a “valid vulnerability”, which actually “requires an attacker to have already compromised the machine”.
