Mastodawn

Whoa. Sophos researchers just announced that they’ve uncovered 133 malicious drivers signed with legitimate digital certificates, and found 100 of of those 133 drivers were signed by Microsoft.

https://news.sophos.com/en-us/2023/07/11/microsoft-revokes-malicious-drivers-in-patch-tuesday-culling/

From the post:

"Today, Microsoft issued Security Advisory ADV230001 as part of their July Windows Update that addresses Sophos’ discovery of more than 100 malicious drivers that had been digitally signed by Microsoft and others, dating as far back as April 2021."

"They also released Knowledge Base article 5029033, which includes new, more detailed information on the technical measures Microsoft has taken to protect against these malicious signed drivers."

https://msrc.microsoft.com/update-guide/vulnerability/ADV230001

https://support.microsoft.com/help/5029033

Today's post about patches from Microsoft and Apple to quash zero-day bugs:

https://krebsonsecurity.com/2023/07/apple-microsoft-patch-tuesday-july-2023-edition/

I wrote recently about one of the bigger names in signing malware as a service:

https://krebsonsecurity.com/2023/06/ask-fitis-the-bear-real-crooks-sign-their-malware/

Microsoft Revokes Malicious Drivers in Patch Tuesday Culling

In December 2022, Microsoft published their monthly Windows Update packages that included an advisory about malicious drivers, signed by Microsoft and other code-signing authorities, that Sophos X-…

Sophos News

Florencio Cano Jul 11, 2023

Signing is a good security measure to reduce the probability and impact of certain threats, but it's not the definitive security control in the supply chain. If an attacker compromises the supply chain, it is probable that it will have access to the mechanism to sign artifacts with a valid certificate. I don't say its what has happened in this case, but a fact related to the use of signing.

Mike Kanakos Jul 11, 2023

@florenciocano
I appreciate your sane response and not just "let's hate on #microsoft . "

Florencio Cano Jul 11, 2023

@mikekanakos Sure! I think Microsoft is a fantastic company that is doing many great things!

publicarray Jul 11, 2023

@briankrebs certificates where designed to help with the trust problem. I don’t know, the older I get the less i think this system works. Uses just hit ok anyway and even if you have a user that doesn’t hit ok in this case the drivers where signed🤦‍♂️

Jerry 🦙💝🦙Jul 11, 2023

@briankrebs ugh. The signing ecosystem is intractably broken

Dan Goodin Jul 11, 2023

@jerry @briankrebs But wait, it gets even better:

https://arstechnica.com/security/2023/07/hackers-exploit-gaping-windows-loophole-to-give-their-malware-kernel-access/

Hackers exploit gaping Windows loophole to give their malware kernel access

Microsoft blocks a new batch of system drivers, but the loophole empowering them remains.

Ars Technica

Geekmaster 👽

@dangoodin @jerry @briankrebs *le sigh 😩

Jerry 🦙💝🦙Jul 11, 2023

@dangoodin @briankrebs ffs - farming is looking better every day

Viss Jul 11, 2023

@jerry @dangoodin @briankrebs to the woods!

@jerry @dangoodin @briankrebs

https://i.imgur.com/vbFNbON.jpg

Alt-Text: A comic. The top left panel shows an eager junior engineer, being asked where they see themselves in 5 years. The right panel shows their imagination: a movie 'hacker' office: Dark, monitors everywhere, rainbow LED keyboard, hoodie. The bottom left panels is a senior eng. with a 'relaxed' attitude getting the same question. The last panel shows them happy, in overalls and straw hat, on a farm.

Chester Wisniewski 🇨🇦Jul 11, 2023

@dangoodin @jerry @briankrebs Yes, we have three categories of issue here:

1. Microsoft is signing malicious drivers
2. Microsoft created loopholes for backwards compatibility that are being exploited for gaming and malware
3. People are abusing known vulnerable legitimate drivers

And of course, all of the above is only necessary if SecureBoot is enabled, which it is not on a worryingly large number of computers.

BrianKrebs Jul 12, 2023

@dangoodin @jerry hoo boy. just added that as an update. thanks!

Seán Fenian Jul 12, 2023

@dangoodin @jerry @briankrebs one of the things that always boggles me is that people will put this level of effort into CHEATING IN A GAME.
And the kind of shit that results from that mindset is why I avoid multiplayer games like the plague.

Carsten Jul 12, 2023

@dangoodin @jerry @briankrebs The IMHO only sane way to completely kill the issue of the lost private key for their CA would be to deliver a complete compilation of "really-valid" certificates (all certs ever created by the CA they lost the private key of) to each Windows installation (as online-verification methods could get sabotaged).

But, a) disk space (but hey, when 20 years ago a printer driver was accepted to be 100MB, this shouldn't be much of an issue these days, how many drivers can they have siged?) and b) do they still know what they signed after all these years?

Jared Rimer Jul 12, 2023

@dangoodin @jerry @briankrebs Wait, did I read one of these pieces of software correctly? Its title is FuckCertTimeValidity with first letter capitalization? This ... can't be good.

fedops 💙💛Jul 11, 2023

@jerry considering it's essentially security snake oil I'd say it approximately works as designed.

What's really surprising me is the consistently absurdly high number of security fixes coming out month after month. Clearly all the bug fixing does not lead to an overall increased security level within windows. There does not seem to be any level of control of code quality.
@briankrebs

🅱🅻🆄🅴🅱️Jul 11, 2023

@jerry @briankrebs computers and the Internet are intractably broken.

We flew too close to the sun.

Sophie Schmieg Jul 12, 2023

@jerry @briankrebs want to have nightmares? The proposed solution to make these signatures quantum safe involves the signing infrastructure keeping state, and leaking the private key if they mess up.

There is a stateless alternative, but it's not yet standardized, so the federal guidelines don't mention it.

Joshua Small Jul 12, 2023

@jerry @briankrebs It's OK, the commercial CA industry has come up with a solution to keep themselves relevant by inventing the BIMI standard.

@jerry @briankrebs You only say that because you haven’t looked at the “not signing” ecosystem 😇🤷

Jerry 🦙💝🦙Jul 12, 2023

@adamshostack @briankrebs fair enough

@jerry @briankrebs More people should read Peter Gutmann's Engineering Security on that topic.

@briankrebs They were so fast to discover it!

moving_target01 Jul 12, 2023

@briankrebs The question that I have is: if auto install drivers are disabled, and you acquire all of your drivers from the source vendors (Intel, AMD, nVidia, etc), how much does that mitigate the chances of this happening?

The article, from what I read, did not touch upon that angle/possibility.

Tio mark Jul 12, 2023

@briankrebs to whom we will believe...Apple or Microsoft both with the same problems in their so perfect guarded OS's

oDDmON Jul 12, 2023

@briankrebs Ars covered this as well, and pointed out that while this patch addresses those specific drivers, the “hole” allowing them to function has existed for years and does nothing to fix it.

moving_target01 Jul 12, 2023

@briankrebs Here are some basic steps everyone can take to help mitigate this from happening.

I will be expanding on this is greater detail in the next few days.

Start button - Run:
gpedit.msc

Comptuer Configuration
- Administrative Templates
- System
- Driver Installation
: Allow non-administrators to install drivers for these device setup classes / DISABLE
: Turn off Windows Update device driver search prompt / DISABLE

- Administrative Templates
- Windows Components
- Windows Updates
: Do not include drivers with Windows Updates / ENABLE

Hagen Patzke Jul 31, 2023

@briankrebs IIRC, Peter Gutmann states in his 'Engineering Security' book draft from April 2014 that we can expect malicious actors to buy and use (code-signing) certificates.

They have the money (often stolen from other people), and most certificate issuers don't really check the buyer's identity for a certificate (=providing an infrastructure of certificate vending machines).