Mastodawn

BrianKrebs Jul 11, 2023

Whoa. Sophos researchers just announced that they’ve uncovered 133 malicious drivers signed with legitimate digital certificates, and found 100 of of those 133 drivers were signed by Microsoft.

https://news.sophos.com/en-us/2023/07/11/microsoft-revokes-malicious-drivers-in-patch-tuesday-culling/

From the post:

"Today, Microsoft issued Security Advisory ADV230001 as part of their July Windows Update that addresses Sophos’ discovery of more than 100 malicious drivers that had been digitally signed by Microsoft and others, dating as far back as April 2021."

"They also released Knowledge Base article 5029033, which includes new, more detailed information on the technical measures Microsoft has taken to protect against these malicious signed drivers."

https://msrc.microsoft.com/update-guide/vulnerability/ADV230001

https://support.microsoft.com/help/5029033

Today's post about patches from Microsoft and Apple to quash zero-day bugs:

https://krebsonsecurity.com/2023/07/apple-microsoft-patch-tuesday-july-2023-edition/

I wrote recently about one of the bigger names in signing malware as a service:

https://krebsonsecurity.com/2023/06/ask-fitis-the-bear-real-crooks-sign-their-malware/

Microsoft Revokes Malicious Drivers in Patch Tuesday Culling

In December 2022, Microsoft published their monthly Windows Update packages that included an advisory about malicious drivers, signed by Microsoft and other code-signing authorities, that Sophos X-…

Sophos News

Jerry 🦙💝🦙

@briankrebs ugh. The signing ecosystem is intractably broken

Dan Goodin Jul 11, 2023

@jerry @briankrebs But wait, it gets even better:

https://arstechnica.com/security/2023/07/hackers-exploit-gaping-windows-loophole-to-give-their-malware-kernel-access/

Hackers exploit gaping Windows loophole to give their malware kernel access

Microsoft blocks a new batch of system drivers, but the loophole empowering them remains.

Ars Technica

Geekmaster 👽

@dangoodin @jerry @briankrebs *le sigh 😩

Jerry 🦙💝🦙Jul 11, 2023

@dangoodin @briankrebs ffs - farming is looking better every day

Viss Jul 11, 2023

@jerry @dangoodin @briankrebs to the woods!

@jerry @dangoodin @briankrebs

https://i.imgur.com/vbFNbON.jpg

Alt-Text: A comic. The top left panel shows an eager junior engineer, being asked where they see themselves in 5 years. The right panel shows their imagination: a movie 'hacker' office: Dark, monitors everywhere, rainbow LED keyboard, hoodie. The bottom left panels is a senior eng. with a 'relaxed' attitude getting the same question. The last panel shows them happy, in overalls and straw hat, on a farm.

Chester Wisniewski 🇨🇦Jul 11, 2023

@dangoodin @jerry @briankrebs Yes, we have three categories of issue here:

1. Microsoft is signing malicious drivers
2. Microsoft created loopholes for backwards compatibility that are being exploited for gaming and malware
3. People are abusing known vulnerable legitimate drivers

And of course, all of the above is only necessary if SecureBoot is enabled, which it is not on a worryingly large number of computers.

BrianKrebs Jul 12, 2023

@dangoodin @jerry hoo boy. just added that as an update. thanks!

Seán Fenian Jul 12, 2023

@dangoodin @jerry @briankrebs one of the things that always boggles me is that people will put this level of effort into CHEATING IN A GAME.
And the kind of shit that results from that mindset is why I avoid multiplayer games like the plague.

Carsten Jul 12, 2023

@dangoodin @jerry @briankrebs The IMHO only sane way to completely kill the issue of the lost private key for their CA would be to deliver a complete compilation of "really-valid" certificates (all certs ever created by the CA they lost the private key of) to each Windows installation (as online-verification methods could get sabotaged).

But, a) disk space (but hey, when 20 years ago a printer driver was accepted to be 100MB, this shouldn't be much of an issue these days, how many drivers can they have siged?) and b) do they still know what they signed after all these years?

Jared Rimer Jul 12, 2023

@dangoodin @jerry @briankrebs Wait, did I read one of these pieces of software correctly? Its title is FuckCertTimeValidity with first letter capitalization? This ... can't be good.

fedops 💙💛Jul 11, 2023

@jerry considering it's essentially security snake oil I'd say it approximately works as designed.

What's really surprising me is the consistently absurdly high number of security fixes coming out month after month. Clearly all the bug fixing does not lead to an overall increased security level within windows. There does not seem to be any level of control of code quality.
@briankrebs

🅱🅻🆄🅴🅱️Jul 11, 2023

@jerry @briankrebs computers and the Internet are intractably broken.

We flew too close to the sun.

Sophie Schmieg Jul 12, 2023

@jerry @briankrebs want to have nightmares? The proposed solution to make these signatures quantum safe involves the signing infrastructure keeping state, and leaking the private key if they mess up.

There is a stateless alternative, but it's not yet standardized, so the federal guidelines don't mention it.

Joshua Small Jul 12, 2023

@jerry @briankrebs It's OK, the commercial CA industry has come up with a solution to keep themselves relevant by inventing the BIMI standard.

@jerry @briankrebs You only say that because you haven’t looked at the “not signing” ecosystem 😇🤷

Jerry 🦙💝🦙Jul 12, 2023

@adamshostack @briankrebs fair enough

@jerry @briankrebs More people should read Peter Gutmann's Engineering Security on that topic.