Slashdot Mirror
Microsoft: Windows 10 Devices Open To 'Full Compromise' From Huawei PC Driver (zdnet.com)
According to ZDNet, researchers at Microsoft have discovered a buggy Huawei utility that could have given attackers a cheap way to undermine the security of the Windows kernel. From the report: Microsoft has now detailed how it found a severe local privilege escalation flaw in the Huawei PCManager driver software for its MateBook line of Windows 10 laptops. Thanks to Microsoft's work, the Chinese tech giant patched the flaw in January. As Microsoft researchers explain, third-party kernel drivers are becoming more attractive to attackers as a side-door to attacking the kernel without having to overcome its protections using an expensive zero-day kernel exploit in Windows. The flaw in Huawei's software was detected by new kernel sensors that were implemented in the Windows 10 October 2018 Update, aka version 1809.
The kernel sensors are meant to address the difficulty of detecting malicious code running in the kernel and are designed to detect user-space asynchronous procedure call (APC) code injection from the kernel. Microsoft Defender ATP anti-malware uses these sensors to detect actions caused by kernel code that may inject code into user-mode. Huawei's PCManager triggered Defender ATP alerts on multiple Windows 10 devices, prompting Microsoft to launch an investigation. [...] The investigation led the researcher to the executable MateBookService.exe. Due to a flaw in Huawei's 'watchdog' mechanism for HwOs2Ec10x64.sys, an attacker is able to create a malicious instance of MateBookService.exe to gain elevated privileges. The flaw can be used to make code running with low privileges read and write to other processes or to kernel space, leading to a "full machine compromise." Long-time Slashdot reader shanen writes: Though the story features Huawei, there doesn't seem to be anything specific to that company there. Just innuendo that you can't trust Chinese companies, eh? "Don't throw your computer into that Chinese briar patch!" Anyway, the sordid reality is that Microsoft is the root of all evils in the Windows platform. If increasing security had been half as important as maximizing profits, then we'd be in a much better world today. All complicated software is buggy, but adding complexity for no good reason is just begging for more problems. Here's a crazy solution approach: Any OS feature that isn't used by a LARGE majority of the users should be REMOVED from the OS. Maybe that isn't strong enough. Maybe the OS should be strictly limited to what absolutely needs to be there. Guard those eggs carefully!
The kernel sensors are meant to address the difficulty of detecting malicious code running in the kernel and are designed to detect user-space asynchronous procedure call (APC) code injection from the kernel. Microsoft Defender ATP anti-malware uses these sensors to detect actions caused by kernel code that may inject code into user-mode. Huawei's PCManager triggered Defender ATP alerts on multiple Windows 10 devices, prompting Microsoft to launch an investigation. [...] The investigation led the researcher to the executable MateBookService.exe. Due to a flaw in Huawei's 'watchdog' mechanism for HwOs2Ec10x64.sys, an attacker is able to create a malicious instance of MateBookService.exe to gain elevated privileges. The flaw can be used to make code running with low privileges read and write to other processes or to kernel space, leading to a "full machine compromise." Long-time Slashdot reader shanen writes: Though the story features Huawei, there doesn't seem to be anything specific to that company there. Just innuendo that you can't trust Chinese companies, eh? "Don't throw your computer into that Chinese briar patch!" Anyway, the sordid reality is that Microsoft is the root of all evils in the Windows platform. If increasing security had been half as important as maximizing profits, then we'd be in a much better world today. All complicated software is buggy, but adding complexity for no good reason is just begging for more problems. Here's a crazy solution approach: Any OS feature that isn't used by a LARGE majority of the users should be REMOVED from the OS. Maybe that isn't strong enough. Maybe the OS should be strictly limited to what absolutely needs to be there. Guard those eggs carefully!
Here's a crazy solution approach: Any OS feature that isn't used by a LARGE majority of the users should be REMOVED from the OS. Maybe that isn't strong enough. Maybe the OS should be strictly limited to what absolutely needs to be there. Guard those eggs carefully!
While this looks to make sense at first sight, it is flawed.
Suppose there are a 100 functions that less than 5% of the users use. Removing each of them will only affect 5% of the users. Removing all of them might affect nearly 100% of them users, as each of them needs another feature to work.
I do agree on MS' bad reputation when it comes to security, but even that was not the root cause here. Their driver approval process needs might need more attention.
Or maybe something absurd as, say, open-source drivers? Ideally the whole kernel and driver stack would be OS. Maybe in the future law will require such, for safety and accountability. They can keep their other junk like office closed afaic.
A glitch a day keeps the bugs away.
Those things are all features that Windows users intentionally choose.
It doesn't excuse Huawei backdooring them without their permission. And it doesn't excuse "Long-time Slashdot reader shanen" for defending the practice with a bunch of weak propaganda.
Their software is dangerous, their hardware is even more dangerous. I don't run Windows, but I sure as hell don't want their hardware or software on networks that my data has to traverse.
Windows 10 is *the* reason I finally switched to Linux for my home PC.
Unfortunately, I can't fully escape it. All the tax software applications that run on your local PC and allow you to keep control of your files (so your tax return isn't stored on a third-party server for 7 years), run exclusively on Windows or Mac. I need such software, and for something as important as taxes I don't feel comfortable relying on WINE, so I will have a windows 10 laptop for that purpose next year.
Also, we use windows 10 at work.
But at least here, on my home PC, at least here I can win one small victory against Microsoft's invasive practices.
It would be fair to apply Hanlon's razor. Companies are quite often sloppy with security.
For additional context, "Never attribute to malice that which is adequately explained by stupidity." https://en.wikipedia.org/wiki/... just references "human behavior".
It isn't clear if you [Tabilizer] mean Microsoft, Huawei, or any just company that does something so stupid it seems malicious. Like Boeing in today's news.
As regards the narrow topic of fake vulnerabilities versus real mistakes, in previous variations of this topic I have suggested some of the desired features a planned security attack should have. Being implemented in visible code is NOT one of them. If the vulnerability can be discovered (as this one was), then only fools would rely on security by obscurity.
(1) "Security by obscurity" is widely regarded as a dead horse.
(2) Does anyone regard Huawei's engineers as a bunch of fools who would try to ride a dead horse?
We cannot completely rule out the possibility that it was a deliberately implanted flaw. In such a case, it would only be natural to limit the development team, increasing the likelihood of a "flaw in the flaw". In this story, a "flaw in the flaw" that led to detection. However it would be extremely foolish if Huawei had not subjected the code to careful scrutiny by a large team of experts, because Huawei knows that ALL of its code is going to get expert scrutiny.
BtW, I believe that most of the desired design-level features to support effective security breaches would be to create ways for attack code to be added only when needed and in ways that would cause the attack code to disappear if any suspicion was aroused.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.