Malicious Microsoft Drivers Could Number in the Thousands: Cisco Talos

An anonymous reader shared Thursday's report from eSecurity Planet:After Microsoft warned earlier this week that some drivers certified by the Windows Hardware Developer Program (MWHDP) are being leveraged maliciously, a Cisco Talos security researcher said the number of malicious drivers could number in the thousands. Talos researcher Chris Neal discussed how the security problem evolved in a blog post. "Starting in Windows Vista 64-bit, to combat the threat of malicious drivers, Microsoft began to require kernel-mode drivers to be digitally signed with a certificate from a verified certificate authority," Neal wrote. "Without signature enforcement, malicious drivers would be extremely difficult to defend against as they can easily evade anti-malware software and endpoint detection." Beginning with Windows 10 version 1607, Neal said, Microsoft has required kernel-mode drivers to be signed by its Developer Portal. "This process is intended to ensure that drivers meet Microsoft's requirements and security standards," he wrote. Still, there are exceptions - most notably, one for drivers signed with certificates that expired or were issued prior to July 29, 2015. If a newly compiled driver is signed with non-revoked certificates that were issued before that date, it won't be blocked. "As a result, multiple open source tools have been developed to exploit this loophole," Neal wrote. And while Sophos reported that it had uncovered more than 100 malicious drivers, Neal said Cisco Talos "has observed multiple threat actors taking advantage of the aforementioned Windows policy loophole to deploy thousands of malicious, signed drivers without submitting them to Microsoft for verification...." "Microsoft, in response to our notification, has blocked all certificates discussed in this blog post," he noted.

Read more of this story at Slashdot.