Security researchers have uncovered that Windows Safe Mode may not be as safe as it is believed to be, deeming the feature to have a "significant risk". The feature, which is built into all Windows OS (operating systems), both on PCs and servers, can potentially be used by hackers to steal PC login credentials and disable security software "all while remaining undetected", according to research conducted by security firm CyberArk.

CyberArk security researchers have also said that Windows 10 is not immune to such exploits, despite the presence of Microsoft's Virtual Secure Module (VSM). The researchers also explored the various attack scenarios that could be used by hackers leveraging Windows Safe Mode. Alarmingly, the vulnerabilities outlined by the firm can also convert infected endpoints into "launching points" for future attacks, essentially providing hackers with "more machines on which they can re-use these same attack techniques to ultimately compromise the entire Windows environment."

"Because Safe Mode was purposely designed to be lean, it restricts most third-party software, including security tools, from running. As a result, cyber attackers on compromised machines can remotely reboot those machines into Safe Mode to disable and evade endpoint defenses and subsequently launch their attacks. Given the number of Windows systems in use, this risk impacts billions of PCs and servers globally," CyberArk researchers said.

Safe Mode can help hackers immobilise security software

Researchers explained that Windows Safe Mode was first released in 1995, when the terms "cyber" and "security" were still "terms of science fiction". Moreover, the feature has been designed to be "lean", which in turn makes it restrictive to most third-party software, including security software.

Given Windows' ability to allow applications to prompt users to restart PCs, hackers can leverage this to secretly restart systems in Safe Mode. When rebooting in Safe Mode, hackers can change registry keys for antivirus software. This would traditionally trigger an alert when in Normal Mode, but not Safe Mode. Additionally, hackers could then use infected systems to completely disable security software, ensuring that he/she/they remain undetected while carrying out malicious tasks.

Hackers can use Safe Mode to steal credentials

This exploit requires hackers to use specific tools and techniques but is, according to the researchers "much easier than it sounds, and it can typically be done without the user noticing that anything has gone wrong".

Given that Safe Mode offers a lean environment, cybercriminals would need to create a malicious service that is capable of being loaded on Safe Mode, during the attacker's initial payload. They then need to register a malicious COM (component object model) object. Once these tools are loaded, hackers' malicious code will automatically begin operating during the next reboot.

Researchers explained, "If the attacker's goal is to steal credentials for future use, then the attacker actually wants the user to log on to the system. As the user logs in, the attacker can capture the credentials. In this case, the attacker will likely use the COM object technique to execute code that will change the background, look and feel of Safe Mode — making it appear that the user is still in Normal Mode."

Beware of Safe Mode reboot prompts

All of the exploits explored bank on the hackers tricking users into rebooting their systems on Safe Mode. Researchers noted that randomly forcing users to restart systems may sometimes raise suspicions. Instead, if the cyber-crooks either wait until the next reboot or show the users a malicious message disguised as an "update" and designed to "look like a legitimate Windows pop-up", they can then successfully proceed while remaining undetected or raising suspicions from users.

CyberArk researchers confirmed that they have notified Microsoft about the issues. However, Microsoft is currently not acting on it, as it does not consider this to be a "valid vulnerability", which "requires an attacker to have already compromised the machine".