Microsoft blocks a new batch of system drivers, but the loophole empowering them remains.
See full article...
See full article...
Hackers exploit gaping Windows loophole to give their malware kernel access
- Thread starter JournalBot
- Start date
- Add bookmark
- Featured
- #3
This is one time I think Microsoft should take a page out of Apple's book and be a little more strict on their security in a way to force the vendor to clean up their own messes and do things right. Is it really Microsoft breaking it if vendor's processes/security was broken from the get-go?
Upvote
115
(125
/
-10)
Why not opt-in instead of no opt for those users that need legacy expired drivers to work?
Upvote
106
(106
/
0)
Read the article.
The exploit is in Windows itself. Cheaters use it for their own ends, yes, but it's also being used, independently, by malware authors.
You don't need to be using cheat software in order to be hit by this problem, in other words. Your entire premise is wrong. Your thinking is bad, and you should feel bad.
Upvote
137
(144
/
-7)
That's a gross misread of the article and the issue. The tools are used by cheaters, yes, but they have been taken by APT groups and integrated into their stuff to allow them to sign drivers after they make their initial exploit.
I'm a fan of ripping off the bandaid here and having MS issue a Windows Update that doesn't just revoke, but removes the expired signing certs and expired root certs from the store.
It would certainly give me leverage to go after my own dev group to update and re-sign some of their incredibly ancient stuff.
Upvote
73
(75
/
-2)
It's a cute thought, but the huge reach of MS OSes and gajillions of tiny vendors mean there's thousands of companies out there relying on drivers for one-of-a-kind hardware from vendors that likely don't even exist anymore. I know it's hard for people on the pure software side of things to grok, but if you're a small manufacturing concern, maybe a dozen or so people, running some specialized CNC hardware, your vendor going up in smoke is no reason to shut down operations or spend millions replacing perfectly functional hardware just because Microsoft decided to blacklist the drivers. Even mid-sized concerns will find themselves in this sort of situation on the regular.
The one OS provider that by-and-large lets people just get on with their work pulling the rug out from under countless companies in the name of plugging a security hole that already requires administrative access would justifiably be met with countless lawsuits.
Upvote
62
(77
/
-15)
It would still be reasonable to make this a system policy for opt-in, or potentially opt-out, so that unless you need this vulnerability left open, you have the option to close it (as already mentioned in another comment).
Upvote
82
(83
/
-1)
It really seems odd that this isn't the default approach. It'd be incredibly easy to identify situations where a cert is exempt from the signing check and block the executable unless the user goes through some serious admin hoops with some big "Are you SURE?" sorts of messages.
Very very few people would be angry about that change and you pretty much completely nip the issue in the bud. Good CYA for Microsoft, better security for everyone, and those legendary unsupported CNC machines can keep chugging along with admins understanding that the systems are at a higher risk due to the unsigned certs.
Upvote
64
(64
/
0)
The problem is, if I understand the problem correctly, is that exploiting this vulnerability already requires administrator credentials, so any opt-in mechanism would be worthless as the process running as the admin user could simply modify the policy from opt-out to opt-in. In fact I'm not sure there's an effective mitigation as any updated DLLs could likely just be rolled back to vulnerable versions, or the attacker could redirect the function calls to a vulnerable DLL version in another location. Basically if you have administrator permissions you already effectively have SYSTEM permissions as you can undo any security mechanism that's put in place.
Upvote
54
(55
/
-1)
DeschutesCore
Ars Scholae Palatinae
That is not remotely what is happening here, nor is that what the article said.
Cheating programs need unfettered access to a level of the system above / beyond what anti-cheat / anti-piracy functions actively search for. The only way to do that is to hide in the kernel. These programs found on GitHub enable a developer to write cheats that have kernel level access. These tools existing enables hackers to hide their malware better.
Upvote
35
(35
/
0)
You've fundamentally misunderstood the article. A potential victim wouldn't need to download the cheating tools, or be any sort of cheater. This is about malicious drivers that have been fraudulently signed using those cheating tools, to bypass signing verification on any vulnerable windows installation.
Unless your definition of "cheater" is "someone who downloads a device driver from the internet" you should probably reread the article.
Upvote
58
(60
/
-2)
The blacklists themselves are deliberately designed to be difficult to roll back, at least without reverting a snapshot of the OS. That also means that you can't just try it and back it out if there's a problem.
But you're right that a policy could be worked around.
Upvote
9
(10
/
-1)
Please don't jump on me for my utter ignorance. I can use Certificate Manager and find installed certificates on my system. Wouldn't Microsoft be able to incorporate a similar function into windows defender that searches the current user certification list and compares the user list to a list held by MS of known exploited certificates and informs the user of such a detection? Wouldn't Microsoft have a list of trusted driver devs they could use to build such a list? Or are code signing certificates totally different from driver certificates? I mean I can gererate a temp/local certificate using powershell, and then in Visual studio sign my code. Just trying to understand the certificate relationship here.
Upvote
6
(7
/
-1)
Congratulations on making it to the second paragraph! You should strongly consider reading the rest to learn that the people who cheat with these tools and the people who get compromised via exploits generated via these tools are separate cohorts.
Upvote
67
(67
/
0)
DeschutesCore
Ars Scholae Palatinae
I really wish being this stupid was painful. I mean, we all know it's a troll at this point, but holy shit this is just lazy.
Upvote
55
(58
/
-3)
In the early 90s we would complain that they were wasting valuable network bytes. What's the contemporary version of that?
Upvote
28
(30
/
-2)
And then hacking groups have been using these tools to sign malware instead of game cheating tools. Which you'd know if you'd RTFA.
I wonder if Ars' web team can implement something in Javascript that disables your ability to comment on an article until you've scrolled the page to the bottom in a time that's consistent with actually reading the article? That way people can't post stuff by the time they've got as far as the second paragraph.
Of course it wouldn't stop people with terrible reading comprehension skills, but it'd be something.
Upvote
33
(34
/
-1)
There have been times that I've posted before finishing the article. Mostly on longer articles where I know I'll forget what I wanted to say by the time I finish. In those cases, I do search the article and comments to see if my thought was addressed or made by somebody else. It's not perfect, but I think I've only looked stupid once*, because a poster made the same comment, but didn't quote the article text.
I think the timer would annoy me. I'm generally considered a fast reader. I don't speed read, but pretty much the only people that read faster than I do are speed readers. If they implemented a timer, I'm sure I'd be pulling up the console within a week.
* For this reason; I look stupid plenty often for other reasons.
Upvote
-2
(7
/
-9)
Just allow me to be notified of any driver installs - signed or unsigned - and reject them if I want.
It's all I want Microsoft to do.
They cannot really close the hole since its fundamental to allowing drivers with kernel access, but they can allow me to at least bring my knowledge and caution into play so I know what drivers are installed when something I try to install goes behind my back.
It's all I want Microsoft to do.
They cannot really close the hole since its fundamental to allowing drivers with kernel access, but they can allow me to at least bring my knowledge and caution into play so I know what drivers are installed when something I try to install goes behind my back.
Upvote
15
(16
/
-1)
And this is why we need Microsoft to either make it impossible to install kernel mode drivers without user interaction (like Apple has been doing for a while: if an app tries to install a kernel extension the user needs to go in settings and allow it to happen there), OR (better approach) start turning the screws in various ways to make software devs use MSIX and app containers. There is no reason to require elevation to install most apps (think something like Skype or Word) when you can have a system component copy files where they need to and create start shortcuts, and most apps have no business touching anything beyond their own files and some isolated, per user storage. More extensive but justified stuff can be handled with app permissions.
The tech is already built in Windows, it's just that MS has seemingly given up pushing for adoption.
The tech is already built in Windows, it's just that MS has seemingly given up pushing for adoption.
Upvote
-3
(8
/
-11)
Or a process in which even if it uses an old certificate, it still has to be approved by the user explicitly, requiring a restart to enable? And then only allowing third-party kernel drivers if the user has explicitly chosen to run in a “Reduced Security” mode.
https://developer.apple.com/library/archive/technotes/tn2459/_index.html
https://support.apple.com/guide/security/kernel-extensions-sec8e454101b/web
Upvote
9
(9
/
0)
That's fair enough, though I think it's only fair to point out that I was being rather factitious. It was more an expression of frustration at somebody who clearly hasn't read (or understood) more than 2 paragraphs of the article whilst pontificating and passing judgement on a subject they're not qualified to comment on than a serious feature request.
Upvote
7
(8
/
-1)
Just wondering how that would help in any way, seeing that this exploit requires Administrative privileges, meaning that the attackers can do whatever they want on the system, like opt-in for this policy?
This would probably help a lot more than opt-in/opt-out as the user will have a heads up that something is wrong when they see the warning message that they run in "Reduced Security" mode.
Upvote
2
(5
/
-3)
RickRoyLeonPrisZhoraRacha
Ars Scholae Palatinae
Apple is not a good comparison. It as well as Microsoft, continue the mantra to Push it out the door, patch it later. Its not a good policy, and pretty much proves that nothing is secure in software or hardware, look at Intel, and even an M1 flaw in Apple silicon. Can't imagine there aren't more, but Apple Legal does their best.
And this, lets just make a New OS, and sell more hardware because we won't support older devices e.g drivers, because they aren't signed 2.0...
Upvote
-14
(2
/
-16)
OMFDodo READ THE DAMN ARTICLE DUMBASS
This isn't malware targeting cheaters! It's malware makers using software commonly used by cheaters to deploy their malware.
You shouldn't feel bad, You should feel like a complete fucking ignorant idiot at this point. Why the hell are you here if you aren't reading shit? Do you also go to the grocery store to look at groceries and then buy nothing and go home and eat water?
Upvote
9
(16
/
-7)
Honestly really hope we get greater protections against bogus drivers like this sooner rather than later.
Not only to prevent this kind of vulnerability, but to take away the justification for kernel level anticheat by removing kernel level cheats (or at least, as others say, make it an opt in for those that need it, and allow software to query the status of that toggle.
Not only to prevent this kind of vulnerability, but to take away the justification for kernel level anticheat by removing kernel level cheats (or at least, as others say, make it an opt in for those that need it, and allow software to query the status of that toggle.
Upvote
2
(2
/
0)
Upvote
9
(9
/
0)
DeschutesCore
Ars Scholae Palatinae
Cheating tools are merely a byproduct of the ability to access the lowest rings of the kernel. There exists a need for developers and applications to be able to reach into the kernel, with the appropriate security levels, to access certain things. SMBIOS, DMI tables, reading any internal ports and talking to the hardware. It's tricky and there are considerations to be made.
I don't want things to be the way they are, but there is a reason these functions are there and locking them down fundamentally changes Windows. Additionally, backwards compatibility would be damaged.
To protect against cheats they can't allow a read/write unfettered, they have to compare every access attempt against a list of some kind, making things insanely slower. If this was a problem that had a sensible fix it would be there by now.
Moral of story: They can do what you want, but EVERYTHING would slow down.
Last edited:
Upvote
4
(4
/
0)