Security Flaw in Microsoft Signed Drivers
An insecure driver can be just what a hacker needs to get their foot in the door to a Windows environment. Compromised drivers are massive security headaches ranging from recent Slingshot APT campaigns and LoJax malware. Researchers at Eclypsium released a report that they see as a dire security problem of insecure drivers digitally signed by reputable firms such as Microsoft. Eclypsium's researchers Mickey Shkatov and Jesse Michael, both released their research that showed that the problem of insecure drivers is widespread, affecting more than 40 drivers from at least 20 different vendors, all drivers being certified by Microsoft.
These vulnerabilities allow the driver to act as a proxy to perform highly privileged access to the hardware resources and can give access to OS kernel mode. The vulnerabilities are widespread, impacting major BIOS vendors, as well as hardware sold by ASUS, Toshiba, NVIDIA and Huawei. Researchers first found the issue in April when they found 40 insecure drivers representing 20 vendors. They gave the companies a 90-day window to fix the issues. All 40 drivers are unique and signed by two separate vendors. Some of the most dangerous attack scenarios are arbitrary read/write of kernel memory, arbitrary read/write of model specific registers ( MSRs ), and arbitrary read and write of physical memory as these can all be used to achieve arbitrary code execution within the Windows kernel.
Researchers added that arbitrary hardware access via an insecure driver can allow malicious modification of firmware components, resulting in persistent subversion of existing Windows AV protection. One such case happened in March when Huawei MateBook systems included a rogue driver that let unprivileged users create processes with superuser privileges.
What makes this problem ominous is the assumption that firms such as Microsoft have their back when it comes to insecure drivers. Vendors think Microsoft is looking for this and they're not, and Microsoft thinks vendors are delivering secure code. This is a common software design anti-pattern where, rather than making the driver only perform specific tasks, it's written in a flexible way to just perform arbitrary actions on behalf of userspace. It's easier to develop software by structuring drivers and applications this way, but it opens the system up for exploitation. Just because a driver is signed and certified does not mean it is safe.
Microsoft needs to take action by blacklisting insecure drivers in Windows for all users or specific CPU generations. Microsoft needs to take the same actions that they took for the vulnerable Capcom driver. Game maker, Capcomm released the popular Street Fighter V for PCs in 2016 with a secret rootkit that gave any installed application kernel-level privileges. In the case of the Huawei MateBook systems, it was Microsoft that found the bad driver that opened systems to attack.