How a Microsoft blunder opened millions of PCs to potent malware attacks

Discussion in 'other security issues & news' started by BoerenkoolMetWorst, Oct 15, 2022.

  1. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    How a Microsoft blunder opened millions of PCs to potent malware attacks
    Microsoft said Windows automatically blocked dangerous drivers. It didn't.
    https://arstechnica.com/information-technology/2022/10/how-a-microsoft-blunder-opened-millions-of-pc
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    The entire Microsoft Windows code if you ask me is mostly now rendered OBSOLETE. I screamed until blue in the face for years that they needed (long time ago) to recode the entire structure that makes up the windows system (so far as security is concerned).
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Wait a minute, I think I may have misunderstood this Windows flaw. At first I assumed that malware will always have to load a legitimate but exploitable driver, but now I'm reading that malware can even abuse already installed vulnerable drivers, is this some kind of joke, how does Windows even allow this? Or am I misunderstanding? :confused:
     
  4. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    A driver is just another piece of software in the end, vulnerable software can be exploited. If you want users to be able to install 3rd party drivers, not very much can be done about that afaik.
    Though for attackers bringing your own legitimate exploitable driver is probably easier, as you're not depended on which driver a user has installed, and you can choose one that is easy to exploit.
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Oh it gets better @Rasheed187 - I imagine before too very much long that it will be announced and make headlines that Windows 11 has developed (for lack of a better word) an inherent flaw in one or more of their mechanisms. Which you can sure the dissectors and reversers are already fully engaged in.

    Headlines equals advertising dollars
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I believe you didn't understand my question. From what I've read, also in other articles, apps (malicious or not) can communicate with and exploit certain drivers that are already present on the system. These would be huge flaw in the Windows OS design in my view.

    Because this would mean that any app can disable driver hooks, without even having to load a malicious rootkit driver itself. You would hope that Windows had some type of built-in protection against this, similar to PatchGuard which prevents apps from loading drivers that can mess around with the Windows kernel.
     
  7. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    I did understand the question. How would drivers be able to function if programs cannot communicate with them? Can't be much done about damage control in a monolithic OS.
     
  8. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,002
    Location:
    Member state of European Union
    Exactly. Problem isn't really limited to Windows. This is related to the way OSes, that allow to install any driver, that are based on monolithic/hybrid kernel OS works on current computers with current CPUs.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    What I meant is that malware.exe should have no business communicating with RTCore64.sys which is MSI Afterburner's vulnerable driver, which was recently used to disable security tools. Especially if it isn't even loaded by this malware.exe tool that's running in user space. So yes, blocking exploitable drivers is important but there should also be a way to block apps from communicating with them if they are already installed.

    Well, from what I've read, macOS and Linux are actually better designed when it comes to this, see second link. In macOS you've got ''System Integrity Protection'' and in Linux you've got ''Kernel Lockdown'' protection. This is something that should be added to Windows too, there needs to be some kind of sandboxing system for drivers. Possible solutions that app writers can implement themselves are found in the fourth link.

    https://eclypsium.com/2019/08/10/screwed-drivers-signed-sealed-delivered/
    https://eclypsium.com/2019/11/12/mother-of-all-drivers/

    https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/
    https://repnz.github.io/posts/abusing-signed-drivers/
     
  10. waking

    waking Registered Member

    Joined:
    Jan 25, 2016
    Posts:
    176
    Microsoft fixes Windows vulnerable driver blocklist sync issue

    By Sergiu Gatlan

    October 26, 2022 05:22 AM

    https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-vulnerable-driver-blocklist-sync-issue/

    "More than a month after Dormann revealed that the list of vulnerable
    drivers wasn't kept up to date on Windows 10 and some Windows Server
    systems, Microsoft has now finally addressed this issue."
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    It has probably already been mentioned, but you can also manually fix this stuff, see link. I also noticed that DefenderUI does have an option to ''block abuse of exploited vulnerable signed drivers'', but then this list should first be up to date of course. Strange that in Win 10 this option was never visible in the first place.

    https://learn.microsoft.com/en-us/w...trol/microsoft-recommended-driver-block-rules
     
  12. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    I don't see it here on 2 Win 10 22H2 machines. I also wonder if the driver blocklist can be enabled without Memory Integrity enabled. One machine has it enabled but the other can't because of an incompatible Intel driver. Both are up to date and have the October preview update installed as well, but the setting is still not visible.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Here is another example of how hackers made use of this BYOD technique, I can't believe that Windows can't protect against this without having to use a blacklist of exploitable drivers. This is what I call bad OS design, because a driver shouldn't be able to interfere with another driver's hooks.

    Scroll to this:

    https://www.trendmicro.com/en_us/re...eal-box-apt41-new-subgroup-earth-longzhi.html
     
  14. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Still not visible on both machines after the November updates. Does anyone see the option on Windows 10?
     
  15. waking

    waking Registered Member

    Joined:
    Jan 25, 2016
    Posts:
    176
    For what option exactly are you looking? Is it this one?

    Blocklist.jpg

    If so, note that the article clearly says:

    "Microsoft provides instructions for disabling the driver blocklist
    using a settings toggle, which does not exist in the production
    release of Windows 11 22H2, and only exists in Windows Insider builds."
     
  16. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Yes, that is the one. The article also clearly says: "For Windows 10 and Windows 11 21H2, you can disable the driver blocklist by turning off 'Memory Integrity' in the 'Core Isolation' settings".
    And "Redmond has addressed the driver blocklist sync issue with the October 2022 preview updates, ensuring that the blocklist is the same across Windows 10 and 11."
    So, I assumed Windows Insider builds already had the option and when not using Insider builds you could get it by installing the October preview updates.
     
  17. waking

    waking Registered Member

    Joined:
    Jan 25, 2016
    Posts:
    176
    I read that as meaning:

    The Oct 2022 update solves the synchronization of the Blocklist
    on all versions of Windows. Win 10 and Win 11 will now be using
    the latest version of that list.

    Turning Off Memory Integrity will disable the Driver Blocklist
    checking on Win 10 including production releases.

    On Win 11 the Blocklist is enabled by default and is On even when
    Memory Integrity is Off.

    So an additional toggle switch is being added so that you can
    disable the Blocklist checking independently from the Memory
    Integrity option.

    At this point, that toggle has only been added to Win 11 Insider
    builds. While it seems clear that it is intended to be a feature
    in future Win 11 production releases, it is not so clear whether
    or not there is any intention to make it available in Win 10 builds.
     
  18. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Okay, thanks. I do hope they add the toggle to Win 10, it kinda sucks that you can't turn it on if memory integrity is off.
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Holy crap, now hackers have even found a way to fool M$ into signing their malicious drivers. Windows really should be redesigned to protect against this stuff.

    https://thehackernews.com/2022/12/ransomware-attackers-use-microsoft.html

    https://www.sentinelone.com/labs/dr...-leverage-signed-malicious-microsoft-drivers/
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Here is another example of how hackers exploited a vulnerable driver from Intel:

    https://www.crowdstrike.com/blog/sc...with-bring-your-own-vulnerable-driver-tactic/
     
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    I been screaming that for years that they need to recode their O/S but with only crickets. Only until their business and profits take a HUGE drain in their revenue, they might do something about it. Better yet for Microsoft is sell off their Windows with it's constantly vulnerable code and let them deal with. Win win again for M$
     
  22. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    It sucks but I understand why they don't. When VB6 died we had to rewrite our applications in another programming language. It was a 6 month project that took 2 years. :eek:
     
  23. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,002
    Location:
    Member state of European Union
    Frankly, I don't understand why people here are so concerned. If you:
    Don’t install vulnerable driver delivered by malware authors manually,
    And keep drivers updated, especially those more popular ones,
    And you use standard (not in administrators group) user account
    Then malware can't use those techniques to install drivers. And probably some vulnerable drivers are harder to abuse.

    As usual that problem isn't really a problem for people with slightly more knowledge and good digital habits/practices.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    You know, I have always found it a bit strange that operating systems like Windows seems to be programmed in a way that allows malware to take advantage of all kinds of stuff.

    Let's take ransomware for example. What if apps upon installation or loading could only get access to a limited amount of folders that they need in order to function? In other words, make those apps run sandboxed and you have solved most of the problem with ransomware and info-stealers. I guess that's what they tried to do with UWP apps, but in the end it was too complex to recode Win32 apps I guess.

    Who says we are concerned for our own machines? It's true that if you simply block loading of drivers, you should be good. The problem is that many companies are probably not monitoring drivers and especially not if they are legitimate drivers. And of course MS itself could harden the Windows kernel in a way that so called vulnerable drivers can't interfere with other drivers, with some type of sandboxing system for the kernel.
     
    Last edited: Jan 22, 2023
  25. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,002
    Location:
    Member state of European Union
    Kernel lockdown does not enforce isolation between different drivers in the kernel. It enforces isolation between userspace and kernelspace.

    I'm not that familiar with macOS. I'm not sure if it is possible to i.e. change graphics card in a current line of Apple computers and how/if macOS would handle that. I suspect they have much less problems with that attacks on outdated drivers, since macOS is designed to run on Apple's hardware. Even if it is still possible to do that this would be unsupported configuration and Apple could not care about breakage here.
    It may be like comparing apples (no pun intended) to oranges.

    It's a major Windows redesign. Major compatibility breakage. I doubt that companies producing big drivers like AMD, Nvidia, Intel GPU would be gladly rewriting drivers. And even then it would left many devices not working on current OS, and they may be performance penalty etc
    My point: it is easier said than done.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.