Hackers can exploit Safe mode in Windows to launch security attacks

Reading time icon 2 min. read


Readers help support Windows Report. When you make a purchase using links on our site, we may earn an affiliate commission. Tooltip Icon

Read the affiliate disclosure page to find out how can you help Windows Report effortlessly and without spending any money. Read more

When you think of Safe Mode, your first association is reduced risk from malicious attack for your computer. As Safe Mode runs only essential, first party programs in Windows, it is often used for fixing various security and other system problems.

However, there’s one contradiction. Although Safe Mode’s purpose is to provide a risk-free environment, it can actually leave your computer in danger if a hacker takes a full advantage out of it. According to researchers at CyberArk Labs, while not running the majority of programs is actually good for your security, it can also be very bad at the same time.

If an attacker has remote access to a user’s computer, he can boot into Safe Mode and launch an attack. Since all potential security programs and antiviruses are turned off, there would be nothing to stop a malicious software.

“Sure, the attacker can arbitrarily force a restart, but this will likely look suspicious to the user and prompt a phone call to the IT team,” says CyberArk researcher Doron Naim writing on the company’s blog. “Instead, to stay under the radar, the attacker can also either wait until the next restart or show the victim an ‘update’ window with a message that says the PC must be rebooted. This ‘update’ window can purposely be designed to look like a legitimate Windows pop-up”.

Once attackers are in Safe Mode, they can easily capture important user data like credentials and even execute pass-the-hash attacks to break into other computers on the same network.

Although completely removing this risk is almost impossible, there are some security measures recommended for enterprises. Admins can remove administrator privileges from normal users so that attackers are not able to switch from Normal to Safe mode, rotate privileged credentials, make security tools available in Safe Mode, and continuously monitor any suspicious activity that involves PCs booting into Safe Mode.

RELATED STORIES YOU NEED TO CHECK OUT:

More about the topics: security, windows tips