Microsoft: Windows 10 Devices Open To 'Full Compromise' From Huawei PC Driver

According to ZDNet, researchers at Microsoft have discovered a buggy Huawei utility that could have given attackers a cheap way to undermine the security of the Windows kernel. From the report: Microsoft has now detailed how it found a severe local privilege escalation flaw in the Huawei PCManager driver software for its MateBook line of Windows 10 laptops. Thanks to Microsoft's work, the Chinese tech giant patched the flaw in January. As Microsoft researchers explain, third-party kernel drivers are becoming more attractive to attackers as a side-door to attacking the kernel without having to overcome its protections using an expensive zero-day kernel exploit in Windows. The flaw in Huawei's software was detected by new kernel sensors that were implemented in the Windows 10 October 2018 Update, aka version 1809.

The kernel sensors are meant to address the difficulty of detecting malicious code running in the kernel and are designed to detect user-space asynchronous procedure call (APC) code injection from the kernel. Microsoft Defender ATP anti-malware uses these sensors to detect actions caused by kernel code that may inject code into user-mode. Huawei's PCManager triggered Defender ATP alerts on multiple Windows 10 devices, prompting Microsoft to launch an investigation. [...] The investigation led the researcher to the executable MateBookService.exe. Due to a flaw in Huawei's 'watchdog' mechanism for HwOs2Ec10x64.sys, an attacker is able to create a malicious instance of MateBookService.exe to gain elevated privileges. The flaw can be used to make code running with low privileges read and write to other processes or to kernel space, leading to a "full machine compromise." Long-time Slashdot reader shanen writes: Though the story features Huawei, there doesn't seem to be anything specific to that company there. Just innuendo that you can't trust Chinese companies, eh? "Don't throw your computer into that Chinese briar patch!" Anyway, the sordid reality is that Microsoft is the root of all evils in the Windows platform. If increasing security had been half as important as maximizing profits, then we'd be in a much better world today. All complicated software is buggy, but adding complexity for no good reason is just begging for more problems. Here's a crazy solution approach: Any OS feature that isn't used by a LARGE majority of the users should be REMOVED from the OS. Maybe that isn't strong enough. Maybe the OS should be strictly limited to what absolutely needs to be there. Guard those eggs carefully!

Not sure if it’s a “flaw”

[UnknowingFool]

Personally I’m highly suspicious of Huawei and I don’t think this was a flaw. “Intended design” is what I suspect is a better description.

Re:Not sure if it’s a “flaw”

[shanen]

It would be fair to apply Hanlon's razor. Companies are quite often sloppy with security.

For additional context, "Never attribute to malice that which is adequately explained by stupidity." https://en.wikipedia.org/wiki/... just references "human behavior".

It isn't clear if you [Tabilizer] mean Microsoft, Huawei, or any just company that does something so stupid it seems malicious. Like Boeing in today's news.

As regards the narrow topic of fake vulnerabilities versus real mistakes, in previous variations of this topic I have suggested some of the desired features a planned security attack should have. Being implemented in visible code is NOT one of them. If the vulnerability can be discovered (as this one was), then only fools would rely on security by obscurity.

(1) "Security by obscurity" is widely regarded as a dead horse.

(2) Does anyone regard Huawei's engineers as a bunch of fools who would try to ride a dead horse?

We cannot completely rule out the possibility that it was a deliberately implanted flaw. In such a case, it would only be natural to limit the development team, increasing the likelihood of a "flaw in the flaw". In this story, a "flaw in the flaw" that led to detection. However it would be extremely foolish if Huawei had not subjected the code to careful scrutiny by a large team of experts, because Huawei knows that ALL of its code is going to get expert scrutiny.

BtW, I believe that most of the desired design-level features to support effective security breaches would be to create ways for attack code to be added only when needed and in ways that would cause the attack code to disappear if any suspicion was aroused.

Re:Not sure if it’s a “flaw”

[BlackOverflow]

I watched the whole video you linked and nowhere in it was the CIA mentioned.

Re:Not sure if it’s a “flaw”

[dissy]

Does anyone regard Huawei's engineers as a bunch of fools who would try to ride a dead horse?

Well, yes :P
But seriously though, I agree this is almost certainly just a mistake/flaw.

One thing I have noticed time and time again, people/teams that are strong at designing hardware are generally utter garbage at designing software, and people/ teams that are strong at designing software are generally utter garbage at anything hardware.

Each of those is a vast superset of knowledge, skills, and many subsets that are highly specialized in their own right.
It is the exception instead of the rule to find a well suited team of teams with excellent hardware designers, excellent programmers, and excellent translation between them.

Fortunately for many cases we have enough standardized abstraction these days to keep our complex and integrated systems from toppling over more often than not. But there are plenty of situations that isn't as true.

I don't have any Huawei made computers, so can't say if this "PCManager" named driver would be one of these or not, but if it really is at the level akin to a set of chipset/motherboard/bios drivers then odds are very high that this wasn't malice, but a result of either their hardware people attempting to write code with expected results, or programmers that are incompetent in their own right.

If on the other hand this software is more akin to typical bloatware crap OEMs seem to love pre-installing, odds are still high it was the result of incompetence, but arguably for a task that wasn't required in the first place, let alone that ended up happening.
This is a completely different complaint of course than accusing them of maliciousness but a valid complaint still (IMHO)

Lastly, I can't tell if Tabilizer meant Microsoft either, but I don't think this result is wrong on their end in any way, especially as some other people here have claimed.

Kernel drivers having access to the kernel isn't a flaw.
Kernel drivers being limited or restricted is also not a flaw, but a design choice.
A choice I don't even fault them for making, even if such segmentation was my own preference, which for the record I'm not sure would be.

For me I think I'd prefer to choose what drivers to trust based on me using them or not, rather than live with the consequences of that level of segmentation in the kernel and all of the slowdowns and limitations that would come with it.

Re:Not sure if it’s a “flaw”

[shanen]

Complicated comment, but I think I mostly agree with you. I do think you could have made a couple of points more clearly.

Some parts of your comment are actually related to a longish comment I just wrote about "Clippy", so help me gawd. Essentially I'm saying the OS should stay out of my way. Clippy's mortal sin was the opposite, since Clippy was constantly getting in the way, but the underlying idea was actually a good one.

I would say that what we have now is the worst of all possible worlds. We have just a few gigantic OSes packed with obscure features that most of us never need. However because those features are embedded at the OS level, whatever security vulnerabilities those features contain are EVERYWHERE. Perhaps I'm stretching the metaphor, but Mother Nature doesn't work that way, and she has billions of years of experience in really complicated programming (with DNA).

(Currently reading The Gene by Siddhartha Mukherjee, and have already read enough to recommend it rather strongly.)

Windows 10 Compromised by Default

[rtb61]

Wait up there, Windows 10 is compromised by default. It includes software that invades your privacy, analyses your data and your internet access and does not inform you what it sends and specifically purposefully has been done in a way to block users for turning it off reliably (they shit cunts routinely turn it back on, purposefully). It forces the install of programs without user choice and that includes altering defaults, running advertisements and basically turning over control of that 'NOT-personal computer', to a blatantly corrupt for profit corporation, as a conspiracy between that 'CUNT' corporation and the equally corrupt USA government.

Re:Windows 10 Compromised by Default

[Aighearach]

Those things are all features that Windows users intentionally choose.

It doesn't excuse Huawei backdooring them without their permission. And it doesn't excuse "Long-time Slashdot reader shanen" for defending the practice with a bunch of weak propaganda.

Their software is dangerous, their hardware is even more dangerous. I don't run Windows, but I sure as hell don't want their hardware or software on networks that my data has to traverse.

Re:Windows 10 Compromised by Default

Windows 10 is *the* reason I finally switched to Linux for my home PC.

Unfortunately, I can't fully escape it. All the tax software applications that run on your local PC and allow you to keep control of your files (so your tax return isn't stored on a third-party server for 7 years), run exclusively on Windows or Mac. I need such software, and for something as important as taxes I don't feel comfortable relying on WINE, so I will have a windows 10 laptop for that purpose next year.

Also, we use windows 10 at work.

But at least here, on my home PC, at least here I can win one small victory against Microsoft's invasive practices.

Re:Windows 10 Compromised by Default

[DigressivePoser]

and for something as important as taxes I don't feel comfortable relying on WINE, so I will have a windows 10 laptop for that purpose next year.

I run a Windows 10 VM on my Linux Mint system. Works just fine with my H&R Block tax software. Also use that VM to keep track of my finances with Microsoft Money. The nice thing about that is that both Windows 10 and Money don't cost anything. It's all legal. Money is free from Microsoft and Windows 10 lets you use it without "activating" it. Just some subtle nags and limited customization. If there are major features disabled, I haven't come across them yet.

Also have non-activated Windows 10 on a separate hard drive I dual boot into for those apps that need full system performance - like games and Photoshop.

Microsoft has been improving their security postur

[clay_buster]

None of your comments have anything to do with the problem that Microsoft found. The folks in Redmond have put a lot of work into Windows 10 security while trying to retain the current partner ecosystem and backwards compatibility.

Flawed assumption

[xonen]

Here's a crazy solution approach: Any OS feature that isn't used by a LARGE majority of the users should be REMOVED from the OS. Maybe that isn't strong enough. Maybe the OS should be strictly limited to what absolutely needs to be there. Guard those eggs carefully!

While this looks to make sense at first sight, it is flawed.

Suppose there are a 100 functions that less than 5% of the users use. Removing each of them will only affect 5% of the users. Removing all of them might affect nearly 100% of them users, as each of them needs another feature to work.

I do agree on MS' bad reputation when it comes to security, but even that was not the root cause here. Their driver approval process needs might need more attention.

Or maybe something absurd as, say, open-source drivers? Ideally the whole kernel and driver stack would be OS. Maybe in the future law will require such, for safety and accountability. They can keep their other junk like office closed afaic.

Either way, driver are a problem. Virtualization

[raymorris]

Malice, negligence or just "shit happens", low-level hardware drivers are a problem. The protection is pretty much the same no matter how the vulnerability got there.

Hardware drivers and the kernel require powerful capabilities - and are responsible for ENFORCING security policy. Since they control security, they can't be controlled by it.

At one point people developed the idea of the microkernel as a theoretical way of reducing the attack surface. In practice, that evolved into virtualization - the hardware drivers being separate from the application software, to the extent of being two separate operating systems. Virtualization gives a good layer of security (though nothing is perfect).

Another good solution is exemplified by USB 2.0, where the hardware driver is stored within the hardware itself, as firmware, and totally separate from the operating system. The OS trusted driver needs only be a generic driver that an talk to that class of hardware via a standard interface protocol.

Thunderbolt goes the opposite way, exposing your PCI-E bus to externally connected devices, giving them the same level of trust as internal parts.

Less freedom is good

[Waccoon]

Long-time Slashdot reader shanen writes:
Any OS feature that isn't used by a LARGE majority of the users should be REMOVED from the OS.

Yeah... fuck you. Every piece of software is being gimped like crazy to cater to the lowest common denominator, and features I need are being wiped out every day in the name of improving my experience. Microsoft already requires signed drivers, so whatever happened here is purely a political problem, not a technical one.

If Huawei is installing some stupid "helper" that fucks up the machine, I won't buy a Huawei. I'll build the machine myself and use an OEM copy of Windows, just as I have been doing for the last 20+ years. The last thing I want is for Microsoft to lock down the system even more to ensure I have even less control of my machine.

For the record, I stopped upgrading at Win7. I won't touch Win10 with a barge pole.

Re:Less freedom is good

[AmiMoJo]

Signed drivers are a good thing, they stop random malware installing drivers on your system. Defence in depth.

They actually improve the quality of some products too. For example if you want to make a new USB widget you have a choice: custom driver that has to be signed and requires a UAC prompt to install/update, or use one of the build in drivers like WinUSB or HID. That encourages manufacturers not to make their own crap drivers.

VMware and Cisco anyone?

[LostMyBeaver]

Please feel free to visit the latest Linux Kernel tree (or any for several years) and audit the code for the included ESXi drivers (memory management and network specifically) as well as the Cisco VIC network and SCSI driver code.

It took me an average of 3 minutes between finding attack vectors thanks to VMware's half-assed code that should have been completely rewritten years ago. Now, if you can't find a vulnerability using the ESXi drivers in the Linux code base, you probably shouldn't be allowed near a computer.

The Cisco VIC adapter code is so much better... you not only can find endless numbers of vulnerabilities, but you can actually upload entire new operating systems to the VIC adapters in nearly all Cisco servers (especially HyperFlex) and you can even change the boot firmware by disabling authenticity checks in the driver code. The end result being that you could easily permanently place undetectable backdoors that would require hardware replacement to correct into the VIC adapter.

Even better... as a bonus, I'm quite confident that it is possible on VMware from a guest machine using VMFEX network adapters with Cisco VICs, it should be possible to change the hardware firmware of the VIC adapters ... which include entire built-in processors for SCSI and RDMA... so that you could pretend to be one of the VMs and communicate to anywhere you want and even issue SCSI requests to the SAN directly over network protocols that can't be monitored on Cisco switches.

None of this is intentional... it's all because no one takes the time to clean up after their own messes.

Re:VMware and Cisco anyone?

[AmiMoJo]

Did you report those vulnerabilities to anyone? VMware has an email address (security@vmware.com) you can use. Are there any CVEs we can look at?

Re:Either way, driver are a problem. Virtualizatio

[Vlad_the_Inhaler]

As to malice, that seems highly unlikely, as this issue would have been better hidden. In particular, the attacker would have made sure these "sensors" do not detect it.

I have to point out that the "sensors" were new, so malice is still an option. Of course there were beta versions of Windows Update 1809 before the actual update came out, a true malicious operator would have had time to attempt an update to the driver to at least hide the side-door.
fwiw, I'll vote for a screwup.