Slashdot Mirror
Microsoft: Windows 10 Devices Open To 'Full Compromise' From Huawei PC Driver (zdnet.com)
According to ZDNet, researchers at Microsoft have discovered a buggy Huawei utility that could have given attackers a cheap way to undermine the security of the Windows kernel. From the report: Microsoft has now detailed how it found a severe local privilege escalation flaw in the Huawei PCManager driver software for its MateBook line of Windows 10 laptops. Thanks to Microsoft's work, the Chinese tech giant patched the flaw in January. As Microsoft researchers explain, third-party kernel drivers are becoming more attractive to attackers as a side-door to attacking the kernel without having to overcome its protections using an expensive zero-day kernel exploit in Windows. The flaw in Huawei's software was detected by new kernel sensors that were implemented in the Windows 10 October 2018 Update, aka version 1809.
The kernel sensors are meant to address the difficulty of detecting malicious code running in the kernel and are designed to detect user-space asynchronous procedure call (APC) code injection from the kernel. Microsoft Defender ATP anti-malware uses these sensors to detect actions caused by kernel code that may inject code into user-mode. Huawei's PCManager triggered Defender ATP alerts on multiple Windows 10 devices, prompting Microsoft to launch an investigation. [...] The investigation led the researcher to the executable MateBookService.exe. Due to a flaw in Huawei's 'watchdog' mechanism for HwOs2Ec10x64.sys, an attacker is able to create a malicious instance of MateBookService.exe to gain elevated privileges. The flaw can be used to make code running with low privileges read and write to other processes or to kernel space, leading to a "full machine compromise." Long-time Slashdot reader shanen writes: Though the story features Huawei, there doesn't seem to be anything specific to that company there. Just innuendo that you can't trust Chinese companies, eh? "Don't throw your computer into that Chinese briar patch!" Anyway, the sordid reality is that Microsoft is the root of all evils in the Windows platform. If increasing security had been half as important as maximizing profits, then we'd be in a much better world today. All complicated software is buggy, but adding complexity for no good reason is just begging for more problems. Here's a crazy solution approach: Any OS feature that isn't used by a LARGE majority of the users should be REMOVED from the OS. Maybe that isn't strong enough. Maybe the OS should be strictly limited to what absolutely needs to be there. Guard those eggs carefully!
The kernel sensors are meant to address the difficulty of detecting malicious code running in the kernel and are designed to detect user-space asynchronous procedure call (APC) code injection from the kernel. Microsoft Defender ATP anti-malware uses these sensors to detect actions caused by kernel code that may inject code into user-mode. Huawei's PCManager triggered Defender ATP alerts on multiple Windows 10 devices, prompting Microsoft to launch an investigation. [...] The investigation led the researcher to the executable MateBookService.exe. Due to a flaw in Huawei's 'watchdog' mechanism for HwOs2Ec10x64.sys, an attacker is able to create a malicious instance of MateBookService.exe to gain elevated privileges. The flaw can be used to make code running with low privileges read and write to other processes or to kernel space, leading to a "full machine compromise." Long-time Slashdot reader shanen writes: Though the story features Huawei, there doesn't seem to be anything specific to that company there. Just innuendo that you can't trust Chinese companies, eh? "Don't throw your computer into that Chinese briar patch!" Anyway, the sordid reality is that Microsoft is the root of all evils in the Windows platform. If increasing security had been half as important as maximizing profits, then we'd be in a much better world today. All complicated software is buggy, but adding complexity for no good reason is just begging for more problems. Here's a crazy solution approach: Any OS feature that isn't used by a LARGE majority of the users should be REMOVED from the OS. Maybe that isn't strong enough. Maybe the OS should be strictly limited to what absolutely needs to be there. Guard those eggs carefully!
Personally I’m highly suspicious of Huawei and I don’t think this was a flaw. “Intended design” is what I suspect is a better description.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Wait up there, Windows 10 is compromised by default. It includes software that invades your privacy, analyses your data and your internet access and does not inform you what it sends and specifically purposefully has been done in a way to block users for turning it off reliably (they shit cunts routinely turn it back on, purposefully). It forces the install of programs without user choice and that includes altering defaults, running advertisements and basically turning over control of that 'NOT-personal computer', to a blatantly corrupt for profit corporation, as a conspiracy between that 'CUNT' corporation and the equally corrupt USA government.
Chaos - everything, everywhere, everywhen
None of your comments have anything to do with the problem that Microsoft found. The folks in Redmond have put a lot of work into Windows 10 security while trying to retain the current partner ecosystem and backwards compatibility.
Malice, negligence or just "shit happens", low-level hardware drivers are a problem. The protection is pretty much the same no matter how the vulnerability got there.
Hardware drivers and the kernel require powerful capabilities - and are responsible for ENFORCING security policy. Since they control security, they can't be controlled by it.
At one point people developed the idea of the microkernel as a theoretical way of reducing the attack surface. In practice, that evolved into virtualization - the hardware drivers being separate from the application software, to the extent of being two separate operating systems. Virtualization gives a good layer of security (though nothing is perfect).
Another good solution is exemplified by USB 2.0, where the hardware driver is stored within the hardware itself, as firmware, and totally separate from the operating system. The OS trusted driver needs only be a generic driver that an talk to that class of hardware via a standard interface protocol.
Thunderbolt goes the opposite way, exposing your PCI-E bus to externally connected devices, giving them the same level of trust as internal parts.
Microkernels are looking better all the time.
The world's burning. Moped Jesus spotted on I50. Details at 11.