Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Windows Microsoft Security

Malicious Microsoft Drivers Could Number in the Thousands, Says Cisco Talos (esecurityplanet.com) 36

An anonymous reader shared Thursday's report from eSecurity Planet: After Microsoft warned earlier this week that some drivers certified by the Windows Hardware Developer Program (MWHDP) are being leveraged maliciously, a Cisco Talos security researcher said the number of malicious drivers could number in the thousands.

Talos researcher Chris Neal discussed how the security problem evolved in a blog post. "Starting in Windows Vista 64-bit, to combat the threat of malicious drivers, Microsoft began to require kernel-mode drivers to be digitally signed with a certificate from a verified certificate authority," Neal wrote. "Without signature enforcement, malicious drivers would be extremely difficult to defend against as they can easily evade anti-malware software and endpoint detection." Beginning with Windows 10 version 1607, Neal said, Microsoft has required kernel-mode drivers to be signed by its Developer Portal. "This process is intended to ensure that drivers meet Microsoft's requirements and security standards," he wrote.

Still, there are exceptions — most notably, one for drivers signed with certificates that expired or were issued prior to July 29, 2015. If a newly compiled driver is signed with non-revoked certificates that were issued before that date, it won't be blocked. "As a result, multiple open source tools have been developed to exploit this loophole," Neal wrote. And while Sophos reported that it had uncovered more than 100 malicious drivers, Neal said Cisco Talos "has observed multiple threat actors taking advantage of the aforementioned Windows policy loophole to deploy thousands of malicious, signed drivers without submitting them to Microsoft for verification...."

"Microsoft, in response to our notification, has blocked all certificates discussed in this blog post," he noted.

This discussion has been archived. No new comments can be posted.

Malicious Microsoft Drivers Could Number in the Thousands, Says Cisco Talos

Comments Filter:
  • All your base^H^H^H^Hdrivers are belong to us.

    • by Z00L00K ( 682162 )

      You also have to factor in that some hardware manufacturers now have removed their drivers so that they no longer can be downloaded, especially for older hardware. This means that many users now have to get them from questionable sites or scrap fully functional hardware that could be quite expensive.

      My experience is also that the drivers signed by Microsoft often lags behind and aren't as reliable as the latest drivers from the hardware manufacturer.

      From my perspective the current model of the Windows OS an

      • This means that many users now have to get them from questionable sites or scrap fully functional hardware that could be quite expensive.

        Or, of course, you can always install an OS that isn't controlled by Microsoft so that the drivers will be accepted and work just fine.
      • by Bert64 ( 520050 )

        if someone gets hold of the database then they'll have the ability to flood the whole network with malware as soon as they have cracked the admin passwords. That's one of the methods that ransomware attackers use and I have seen that personally.

        Why would they crack the passwords? Most malware would just pass the hash immediately rather than waiting for some passwords to crack.

  • Drivers?? (Score:4, Insightful)

    by backslashdot ( 95548 ) on Saturday July 15, 2023 @11:05PM (#63689483)

    What about the whole OS? That thing is malicious too!

  • If only a small percentage are malicious, blocking them all will cause a lot of pain to honest folks

  • by NZheretic ( 23872 ) on Sunday July 16, 2023 @12:47AM (#63689573) Homepage Journal
    Crypto-Gram January 15, 2002 by Bruce Schneier [schneier.com]

    Honestly, security experts don't pick on Microsoft because we have some fundamental dislike for the company. Indeed, Microsoft's poor products are one of the reasons we're in business. We pick on them because they've done more to harm Internet security than anyone else, because they repeatedly lie to the public about their products' security, and because they do everything they can to convince people that the problems lie anywhere but inside Microsoft. Microsoft treats security vulnerabilities as public relations problems. Until that changes, expect more of this kind of nonsense from Microsoft and its products. (Note to Gartner: The vulnerabilities will come, a couple of them a week, for years and years ... until people stop looking for them. Waiting six months isn't going to make this OS safer.)

  • The problem is rooted in the fact that signing of drivers and application installers is all about the money.

    The "Extended Validation" is just a means to extract more money from developers and has little to do with actual security. Why does Windows still warn about my company's installer, which has been using the same certificate for 6 months now? Perhaps purely so that my company should shell out more money for an Extended Validation code signing certificate?

    • It has been their, meaning Microsoft's first line of defense against bad drivers for a long time now, Bill Gates said that much. The regression in policy and allowing useless complexity is what's hard to understand.
    • by fafalone ( 633739 ) on Sunday July 16, 2023 @08:15AM (#63689873)
      It's a racket all right. Those EV certs *start* at $450 for the cert itself, plus the costs of registering a company, since they don't sell them to individuals. There's no programs for non-commercial open source, not even for self-signing-- if I, as a hobbyist, want to use my own driver exclusively on my own computer, I can't do that, without disabling all driver security completely, with the possible exception of a complex, lengthy process on the Enterprise edition they don't sell to individuals, that's highly undocumented and likely to be deliberately broken in the future.
      • Well, if the cost of increased security is that literally a handful of driver writers don't get to used their own personally written drivers, I think it's more than a good bargain.

        Also, while those EV certs aren't technically sold to individuals, they aren't required to install normal software, either. And you can register a business and get one.

        You can call it a racket all you want, but it does enhance security.

        • You can call it a racket all you want, but it does enhance security.

          So then you're in agreement with Apple's policy which is even more restrictive when it comes to driver signing.

          • I don't know Apple's policy, but driver signing is a good thing.

            • But charging a fortune, making no exceptions for nonprofit uses, not selling to individuals, and forbidding self-signing for your own use, absolutely are not. The latter can make things more dangerous; Microsoft had to crack down yet again and make people disable all driver security every boot, because people would turn it off permanently to install things. Fewer people do that, but it's still a risk. I certainly don't like doing it. And that's after they took away per-driver exceptions to signing. Self-sig
    • by gweihir ( 88907 )

      Indeed. Compare that to Linux driver signing (which is part of kernel signing) and you find zero compromises so far. The difference is that the kernel team actually takes security and driver quality seriously and invests work into both. Yes, there have been old drivers that were essentially unmaintained and that had vulnerabilities. But AFAIK, there have been zero successful injections of malicious code into releases of the Linux kernel (or the xBSD kernels) so far, while Windows has tons of them.

      The sad tr

  • ‘Still, there are exceptions — most notably, one for drivers signed with certificates that expired or were issued prior to July 29, 2015. If a newly compiled driver is signed with non-revoked certificates that were issued before that date, it won't be blocked. "As a result, multiple open source tools have been developed to exploit this loophole,"’
  • And now this is news. Since the update referenced was 1607, if I recall the numbering of updates then this occurred in 2016. Seven years latter people are concerned about it?
    • And now this is news....Seven years latter people are concerned about it?

      Sounds like the voiding patterns of the clickbait bird. Once every seven years it swoops down, drops the same shit in your lap, and then flies off pretending you didn't notice.

      I know, you'd think more would notice...

  • Signed timestamp? (Score:2, Informative)

    by BitZtream ( 692029 )

    It's been a few years since I was using AuthentiCode (what Microsoft calls the signed binary process), but it used to have signing timestamp, generated/signed by a third party like versign, as one step in the process. This timestamp can't be faked by rolling back the clocks because you ask Verisign (or other well known/trusted party) to provide a digitally signed/cryptographic verifiable finger print with the timestamp of the signing.

    Verisign signs the timestamp THEY generate from their clocks and it goes

    • If there is a 2015 loophole then it should be easy enough for Microsoft to create a "strict driver signing" knob that disallows older drivers. Turn it on by default. Secure by default. Use old hardware at your own risk.

      Normal enterprises and home users deserve security.

      • by tlhIngan ( 30335 )

        If there is a 2015 loophole then it should be easy enough for Microsoft to create a "strict driver signing" knob that disallows older drivers. Turn it on by default. Secure by default. Use old hardware at your own risk.

        Normal enterprises and home users deserve security.

        It won't take long though - someone somewhere will need a driver that disables the function. It probably takes a cheap Chinese gadget that gets popular, or perhaps an ESP32 or project using an Arduino or Raspberry Pi

        Or, chances are, Microsoft

  • "Microsoft, in response to our notification, has blocked all certificates discussed in this blog post,"

    And the end result of that was...utter silence from the now-blocked user community allegedly infested with "number in the thousands" malicious intent, which last I checked drivers were kinda important to system stability..?

    Seems oddly...quiet.

    Not saying unsigned drivers isn't a problem, but let's dial down the turning a fart into a tactical nuke for clickbaits sake already. Shit gets old.

  • Why we not only tolerate such a 3rd rated wannabe OS and Office provider, but make it a market leader, is really beyond me. Must be some masochism/self-destruction issue going on. Well, at least it becomes more and more obvious every day that MS just does not have it and cannot do.

    • Why we not only tolerate such a 3rd rated wannabe OS and Office provider, but make it a market leader, is really beyond me. Must be some masochism/self-destruction issue going on. Well, at least it becomes more and more obvious every day that MS just does not have it and cannot do.

      Hey c'mon now...have you seen how smooth those mouse drivers are? We're talking glass across Fortune 100 Excel spreadsheets. Spreads numbers like butter outside of those lame integrity-driven financial reporting systems the stiffs always make you install.

      Oh, and look. Major Slidedecker is here to present a 724-page military-grade justification as well. Blowfish sashimi will be served to help alter the statistics of death by PowerPoint...

  • I thought we were talking about New Yorkers.

A bug in the hand is better than one as yet undetected.

Working...