Malicious Microsoft Drivers Could Number in the Thousands, Says Cisco Talos (esecurityplanet.com) 36
An anonymous reader shared Thursday's report from eSecurity Planet:
After Microsoft warned earlier this week that some drivers certified by the Windows Hardware Developer Program (MWHDP) are being leveraged maliciously, a Cisco Talos security researcher said the number of malicious drivers could number in the thousands.
Talos researcher Chris Neal discussed how the security problem evolved in a blog post. "Starting in Windows Vista 64-bit, to combat the threat of malicious drivers, Microsoft began to require kernel-mode drivers to be digitally signed with a certificate from a verified certificate authority," Neal wrote. "Without signature enforcement, malicious drivers would be extremely difficult to defend against as they can easily evade anti-malware software and endpoint detection." Beginning with Windows 10 version 1607, Neal said, Microsoft has required kernel-mode drivers to be signed by its Developer Portal. "This process is intended to ensure that drivers meet Microsoft's requirements and security standards," he wrote.
Still, there are exceptions — most notably, one for drivers signed with certificates that expired or were issued prior to July 29, 2015. If a newly compiled driver is signed with non-revoked certificates that were issued before that date, it won't be blocked. "As a result, multiple open source tools have been developed to exploit this loophole," Neal wrote. And while Sophos reported that it had uncovered more than 100 malicious drivers, Neal said Cisco Talos "has observed multiple threat actors taking advantage of the aforementioned Windows policy loophole to deploy thousands of malicious, signed drivers without submitting them to Microsoft for verification...."
"Microsoft, in response to our notification, has blocked all certificates discussed in this blog post," he noted.
Talos researcher Chris Neal discussed how the security problem evolved in a blog post. "Starting in Windows Vista 64-bit, to combat the threat of malicious drivers, Microsoft began to require kernel-mode drivers to be digitally signed with a certificate from a verified certificate authority," Neal wrote. "Without signature enforcement, malicious drivers would be extremely difficult to defend against as they can easily evade anti-malware software and endpoint detection." Beginning with Windows 10 version 1607, Neal said, Microsoft has required kernel-mode drivers to be signed by its Developer Portal. "This process is intended to ensure that drivers meet Microsoft's requirements and security standards," he wrote.
Still, there are exceptions — most notably, one for drivers signed with certificates that expired or were issued prior to July 29, 2015. If a newly compiled driver is signed with non-revoked certificates that were issued before that date, it won't be blocked. "As a result, multiple open source tools have been developed to exploit this loophole," Neal wrote. And while Sophos reported that it had uncovered more than 100 malicious drivers, Neal said Cisco Talos "has observed multiple threat actors taking advantage of the aforementioned Windows policy loophole to deploy thousands of malicious, signed drivers without submitting them to Microsoft for verification...."
"Microsoft, in response to our notification, has blocked all certificates discussed in this blog post," he noted.
Obligatory (Score:2)
All your base^H^H^H^Hdrivers are belong to us.
Re: (Score:2)
You also have to factor in that some hardware manufacturers now have removed their drivers so that they no longer can be downloaded, especially for older hardware. This means that many users now have to get them from questionable sites or scrap fully functional hardware that could be quite expensive.
My experience is also that the drivers signed by Microsoft often lags behind and aren't as reliable as the latest drivers from the hardware manufacturer.
From my perspective the current model of the Windows OS an
Re: (Score:2)
Or, of course, you can always install an OS that isn't controlled by Microsoft so that the drivers will be accepted and work just fine.
Re: (Score:2)
if someone gets hold of the database then they'll have the ability to flood the whole network with malware as soon as they have cracked the admin passwords. That's one of the methods that ransomware attackers use and I have seen that personally.
Why would they crack the passwords? Most malware would just pass the hash immediately rather than waiting for some passwords to crack.
Drivers?? (Score:4, Insightful)
What about the whole OS? That thing is malicious too!
Why did I think this was about self-driving cars? (Score:1)
Just askin'.
Re: Why did I think this was about self-driving ca (Score:2)
Re: Why did I think this was about self-driving c (Score:1)
What percentage are malicious? (Score:2)
If only a small percentage are malicious, blocking them all will cause a lot of pain to honest folks
Over two decades ago ... (Score:5, Informative)
Re: (Score:1)
Are you claiming that extract from an article signed by Bruce Schneier is forged?
Re: (Score:2)
Are you claiming that extract from an article signed by Bruce Schneier is forged?
Naah, definitely genuine, it's signed with a Windows code signing certificate dated... let me see... July 28, 2015.
It's all about the money, not security. (Score:2, Insightful)
The problem is rooted in the fact that signing of drivers and application installers is all about the money.
The "Extended Validation" is just a means to extract more money from developers and has little to do with actual security. Why does Windows still warn about my company's installer, which has been using the same certificate for 6 months now? Perhaps purely so that my company should shell out more money for an Extended Validation code signing certificate?
Re: (Score:2)
Re:It's all about the money, not security. (Score:4, Insightful)
Re: (Score:1)
Well, if the cost of increased security is that literally a handful of driver writers don't get to used their own personally written drivers, I think it's more than a good bargain.
Also, while those EV certs aren't technically sold to individuals, they aren't required to install normal software, either. And you can register a business and get one.
You can call it a racket all you want, but it does enhance security.
Re: (Score:2)
You can call it a racket all you want, but it does enhance security.
So then you're in agreement with Apple's policy which is even more restrictive when it comes to driver signing.
Re: (Score:2)
I don't know Apple's policy, but driver signing is a good thing.
Re: (Score:2)
Re: (Score:2)
"People" here is no more than a few thousand driver experts, right?
Re: (Score:2)
Indeed. Compare that to Linux driver signing (which is part of kernel signing) and you find zero compromises so far. The difference is that the kernel team actually takes security and driver quality seriously and invests work into both. Yes, there have been old drivers that were essentially unmaintained and that had vulnerabilities. But AFAIK, there have been zero successful injections of malicious code into releases of the Linux kernel (or the xBSD kernels) so far, while Windows has tons of them.
The sad tr
Blame open source malware says MICROS~1 (Score:1)
Seriously??? (Score:2)
Re: (Score:2)
And now this is news....Seven years latter people are concerned about it?
Sounds like the voiding patterns of the clickbait bird. Once every seven years it swoops down, drops the same shit in your lap, and then flies off pretending you didn't notice.
I know, you'd think more would notice...
Signed timestamp? (Score:2, Informative)
It's been a few years since I was using AuthentiCode (what Microsoft calls the signed binary process), but it used to have signing timestamp, generated/signed by a third party like versign, as one step in the process. This timestamp can't be faked by rolling back the clocks because you ask Verisign (or other well known/trusted party) to provide a digitally signed/cryptographic verifiable finger print with the timestamp of the signing.
Verisign signs the timestamp THEY generate from their clocks and it goes
Re: (Score:1)
If there is a 2015 loophole then it should be easy enough for Microsoft to create a "strict driver signing" knob that disallows older drivers. Turn it on by default. Secure by default. Use old hardware at your own risk.
Normal enterprises and home users deserve security.
Re: (Score:2)
It won't take long though - someone somewhere will need a driver that disables the function. It probably takes a cheap Chinese gadget that gets popular, or perhaps an ESP32 or project using an Arduino or Raspberry Pi
Or, chances are, Microsoft
Broken or Hype. Prove one. (Score:2)
"Microsoft, in response to our notification, has blocked all certificates discussed in this blog post,"
And the end result of that was...utter silence from the now-blocked user community allegedly infested with "number in the thousands" malicious intent, which last I checked drivers were kinda important to system stability..?
Seems oddly...quiet.
Not saying unsigned drivers isn't a problem, but let's dial down the turning a fart into a tactical nuke for clickbaits sake already. Shit gets old.
Re: (Score:2)
+5
Good ols MS. Always crap. (Score:1)
Why we not only tolerate such a 3rd rated wannabe OS and Office provider, but make it a market leader, is really beyond me. Must be some masochism/self-destruction issue going on. Well, at least it becomes more and more obvious every day that MS just does not have it and cannot do.
Re: (Score:2)
Why we not only tolerate such a 3rd rated wannabe OS and Office provider, but make it a market leader, is really beyond me. Must be some masochism/self-destruction issue going on. Well, at least it becomes more and more obvious every day that MS just does not have it and cannot do.
Hey c'mon now...have you seen how smooth those mouse drivers are? We're talking glass across Fortune 100 Excel spreadsheets. Spreads numbers like butter outside of those lame integrity-driven financial reporting systems the stiffs always make you install.
Oh, and look. Major Slidedecker is here to present a 724-page military-grade justification as well. Blowfish sashimi will be served to help alter the statistics of death by PowerPoint...
Oh, that kind of driver. (Score:2)
I thought we were talking about New Yorkers.