Microsoft gave its digital imprimatur to a rootkit that decrypted encrypted communications and sent them to attacker-controlled servers, the company and outside researchers said.
The blunder allowed the malware to be installed on Windows machines without users receiving a security warning or needing to take additional steps. For the past 13 years, Microsoft has required third-party drivers and other code that runs in the Windows kernel to be tested and digitally signed by the OS maker to ensure stability and security. Without a Microsoft certificate, these types of programs can’t be installed by default.
One of the reasons Windows 11’s hardware requirements are so stringent is because Microsoft wants to force Trusted Platform Modules and Secure Boot down everyone’s throat, in the name of security. This way, Windows users can feel secure in knowing Microsoft looks out for them, and will prevent malware and viruses from…
I can’t keep writing this with a straight face.
I still think the signing of apps and drivers is a good thing. I absolutely hate the Windows XP reasoning that all drivers need to be accepted, which the reason Windows XP allowed applications to install unsigned kernel drivers without even warning the user about it (which led to the Sony XCP rootkit, the Sony MicroVault rootkit and other nasty hard-to-remove and hard-to-detect malware). You know your OS sucks security-wise when even paid software uses malware tactics because employing malware tactics is just too easy. At least with signing, bad actors (and their drivers) can be blacklisted.
Also, there is a case to be made for SecureBoot (bootloader malware is a thing), as long as it can be disabled easily by the user and is not required for upgrades and custom builds.
TPM is pretty much security theater. Bitlocker will allow you to have an encrypted drive by using a USB drive as the token, so you don’t even need TPM for using Bitlocker.
So, overall, I liked Microsoft’s security improvements made from Windows Vista to Windows 10 (including enforcing driver signatures), it’s the Windows 11 security theater I don’t like.
kurkosdr,
Signing isn’t the problem, signing is an effective cryptographic tool regardless of the operating system. The problem is when a manufacturer uses cryptographic tools to usurp owner rights on our own machines. It’s similar to the problems with secure boot where hundreds of millions of computers have microsoft keys pre-installed in the UEFI BIOS. This feature was not designed to improve user security, at least not well. It was designed to increase vendor control over what owners are allowed to boot. Luckily for us there was enough outrage at the time that microsoft imposed windows 8 requirements to give owners the ability to turn off secure boot (on x86), but since then MS has quietly reneged.
Ostensibly secure boot is applauded for improving boot security, but the way it’s been adopted in practice has created a huge and unmanagable attack surface. Consider that now even linux distros are compelled to apply to microsoft to be able to run under their defacto standard keys. Not only does this create an ugly dependency on microsoft as a gatekeeper, but a vulnerability in any of the signed operating systems (including older defunct ones) can be used to defeat secure boot for most PCs. Using microsoft’s key? If so then guess what…it doesn’t matter which operating system you use, your computer’s secure boot can now be defeated using the vulnerabilities in a signed version of windows or linux or whatever other bootloader utilities microsoft has signed.
So I would not say that signing is the fundamental problem, but it becomes problematic when it’s not designed around owner’s policy needs, which can have a negative effect on both owner security and control.
I agree with your complaints about Secure Boot. There is a case to be made about Secure Boot improving boot security, but it needs to be implemented without compromising user freedom. The fact Microsoft is the gatekeeper (I didn’t know that btw) and the fact you have to get a Microsoft certificate, or the fact it’s not guaranteed to be disable-able after Windows 8 are clear indications this is not the case.
kurkosdr,
Yeah I am in agreement with your point here. But for background I strongly opposed microsoft imposing it’s own self-serving securities policy because it affected my ability to run my own code on my own hardware. I realize kernel dev is rather niche, but my own windows drivers at the time by myself stopped working and it pissed me off that I would have to pay for yearly corporate code certificates to run my own drivers on my own machines. I believe a lot of FOSS developers had a very similar experience. Instead of going down that route it gave me the push I needed to switch to linux, which I did.
I really do think strong, simple, and empowering cryptographic code signing standards are desirable and achievable (and to be honest I think linux could do better here). But unfortunately the vendors and standards bodies in charge have been very one sided with nobody truly representing owner interests. Consequently we often end up with security improvements that puts ever more control over our hardware in the hands of corporations, which is costly to our autonomy and freedoms as owners IMHO.
If you are a kernel dev, you are probably computer-savvy enough to find the advanced boot option that disables signature enforcement.
If you want to distribute your driver to others, yes you have to get it signed, that’s kind of the whole point.
kurkosdr,
It’s VERY frustrating if you’ve written driver code for your own computer.
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/test-signing
Even if you can use it, this option is insecure and completely falls short of what’s actually needed, which is to give owners an elegant way to manage their own certificates on their own machines.
No actually, the problem wasn’t that the drivers weren’t “signed”, but that your self-signed drivers wouldn’t be trusted (ie because you did not pay for a corporate code signing certificate, which costed several hundreds of dollars per year and was not available to personal developers in those years, so you’d additionally have to register your own company and deal with the responsibility of that).
Consider HTTPS certificates, you as a developer are free to use your own certificates, but they will NOT be trusted by browsers by default, which is good. However owners can choose to trust your individual certificate or your CA. Usually there are plenty of browser warnings & hoops, which I’m fine with. Note that self-signed certificates can still be secure and at no point are you ever coerced into disabling certificate checks across the board when you use your own certificate.
Incidentally there was a 3rd party windows tool (which was appropriately signed by the way) that gave owners this ability to control the code signatures that they wanted to trust. This was perfect for independent FOSS projects and was far more secure than just allowing all unsigned drivers (via BCDedit or F8 option). IMHO it’s pathetic to limit owners to this. Just because I want MY drivers to run doesn’t mean I want to allow unauthorized drivers to run as well. Anyways this tool fixed that, however microsoft repeatedly revoked the tool’s certificate so it was discontinued. The reason administrators don’t have strong code signing management tools in windows isn’t because nobody’s built it, it’s because microsoft doesn’t allow it.
Ironically as this article points out, microsoft’s model isn’t all that secure because it exposes us to an attack surface comprised of all the certificates ever approved. Knowledgeable owners would be far more secure if we had the option to only run the drivers for vendors and hardware that we actually use. Personally I’d rather be prompted when a new company’s drivers are loaded rather than windows just merrily running them automatically just because they obtained a code signing certificate. In other words, windows doesn’t allow my trust bubble to be narrower than microsoft’s, which is huge.
I don’t understand what the issue is, I used the method described here:
https://www.maketecheasier.com/install-unsigned-drivers-windows10/
to load an Nvidia driver with a modified .ini file (because Alienware/Dell used to have their own vendor ID until 2013, which meant either doing this trick or using their vintage drivers from their website which were several years old, fortunately, they dropped this nonsense from 2014 for the same model). Long story short, I loaded the driver once using the advanced boot options and that was it, I never had to enter advanced boot options again.
I guess you want to install different versions of the driver while dev-ing, in which case, you are a developer and you should be able to do the inconvenient/hacky bits.
No, I don’t think anyone other than Microsoft should provide root certificates for signing Windows drivers. This gives an amount of official cover to third-parties with zero oversight. I understand the need for multiple root certificate providers in the EFI, but Microsoft should be able to control what is considered a signed driver on their OS, so anything else has to be loaded as an unsigned driver, making the security considerations clear to users.
kurkosdr,
All of those make us less secure.
We agree, but that’s not what anyone is asking for.
On a side note though you may remember the NSA key that used to be included in windows right alongside microsoft’s primary and backup root certificates. And while this specific incident is ancient history it does highlight that microsoft’s idea of trust may not align with our own. Owners should have some oversight over the chain of trust on their own hardware.
> Microsoft is the gatekeeper [..] not guaranteed to be disable-able after Windows
Is anyone making that argument as a a case of anti-trust and/or “collusion” between MS and PC manufacturers? Given how “big-for-the-sake-of-being-big averse” the Biden administration appears..
https://download.microsoft.com/download/7/8/8/788bf5ab-0751-4928-a22c-dffdc23c27f2/Minimum%20Hardware%20Requirements%20for%20Windows%2011.pdf
Please note the TPM requirement is truly double standards.
–A UEFI firmware option to turn off the TPM is not required. Upon approval from Microsoft, OEM systems for special purpose commercial systems, custom order, and customer systems with a custom image are not required to ship with a TPM support enabled.–
Yes as a OEM if you go and kiss the Microsoft magic ring you can get permission to make a new system missing TPM 2.0 completely. This brings a big question of Windows 11 really does not need TPM 2.0 to in fact function why is it forced.
Thom Holwerda we are needing this question asked of Microsoft directly. Yes if your own system design documents say Windows 11 can operate without TPM 2.0 why can you not grant this to those with existing systems with TPM 2.0 turned off or miss TPM 2.0. The motherboard I have happens to have a reset switch for firmware settings so if you overclock the ram too far or other wise you press the button and it resets. Guess what state it resets into TPM 2.0 off. So yes my system has TPM 2.0 support and a correct generation CPU the problem is the firmware would not make putting Windows 11 on it with mandatory TPM 2.0 a good idea just in case some one presses that button.
Mandating a change in feature mode in New hardware is one thing. Mandating a feature change in old existing hardware is a totally different matter and is normally problematic. Please note Micreosoft own design requirements for Windows 11 does not mandate all new hardware has TPM 2.0 at all because you can ask for permission not to have it when making new hardware this does really invalid Microsoft reason to push it because they should be doing the work for a system without TPM 2.0 to support all hardware they are allowing new anyhow.
Hahaha, good ol’ Microsoft. They want to be like Apple and be jerks to their users on a whim, but then someone from accounting reminds them they also have business customers to serve (unlike Apple, which doesn’t). So they will go ahead and create a special option to turn off the jerk bits and only make it available to business customers. It has happened with Windows XP, when it became clear that some customers needed more time to upgrade and Microsoft went ahead and extended the end-of-support to 2019 for POSReady customers only (aka only if you knew which registry setting to modify). It has happened with Windows 10, where they provided a special LTSC version without all the tracking and forced updates. And it’s happening now with Windows 11 and TPM 2.0.
Why am I not surprised?
Sorry to say I am not surprised either. It about time media start learning to check the Microsoft OEM requirements and then to start publicly questioning Microsoft why in hell are they doing a harmful double standard over and over again.
Seems like MS wants to be able to say to content providers that they truly hold the keys to encryption on the consumer system. Can’t have Joe Random having options that are less legit. Corporations usually aren’t interested in torrenting the latest and greatest.
3. 2. 1. Torrents of the non-gimped Windows 11 coming to a piratebay near you.
r_a_trip,
That’s true, this is very useful for DRM and it wouldn’t be the first time microsoft has inconvenienced users for the purposes of restricting them.
Well, the chances they can make the technology without bugs & vulnerabilities is slim, but I think it’s important to note that “remote attestation” is theoretically a game changer for coercive owner control mechanisms. The code & keys used to decrypt content no longer needs to be implicitly exposed on the local machine. It can run in a secure enclave that is impervious to normal software debugging and reverse engineering techniques. So while you can modify your local copy of windows, remote attestation will detect these modifications and can deny access to content, even including your own files if it were designed to do this.
Of course the main problem for DRM isn’t weaknesses in cryptographic security, but that the masses simply download content in an unencrypted form from bittorrent in the first place thereby sidestepping the whole thing.
Regarding the article, is there a disparity in the report between what happened, a driver that is malicious got signed, versus the how it happened to get signed?
I understand that MS signed the driver, the question is was the driver malicious at the time or has the vendor found a backdoor to altering a signed driver. Even though it’s a massive what if, that would be far bigger concern.
The weakest link is always human.
The answer information so far from Microsoft is kind of horrible,
https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/
–Microsoft is investigating a malicious actor distributing malicious drivers within gaming environments. The actor submitted drivers for certification through the Windows Hardware Compatibility Program. The drivers were built by a third party. We have suspended the account and reviewed their submissions for additional signs of malware.–
I would think this is some form of Anti-cheater gone really badly wrong. Do note the “distributing malicious drivers within gaming environments” this normally would mean bundled with games.
https://www.vice.com/en/article/7xdmgq/guild-wars-2-used-spyware-to-catch-cheaters
This here is from 2018. Different game companies have done illegal things to attempt to catch game cheaters before.
Yes this is not Microsoft signed 1 bad driver. This is Microsoft signed 74 bad drivers made by one party (yes counted the SHA256 file hashes at the end of that post by coping them into a text file and using wc -l on them)
I think the weakest point here is not a human its leaving it up to a automated system that automatically trusted the party submitting. It would be good if Microsoft would in fact name the company who submitted these drivers instead of hiding them.
Yes we need to stop saying “Microsoft digitally signs a malicious rootkit driver” because this is true but not really the fact. The fact is “Microsoft digitally signed 74 malicious rootkit drivers” that they have admitted to so far. Single signature is not going to be enough here.
Read a little more carefully. This was the cheaters getting a geolocation spoofing driver signed. It’s much more likely the people that make and sell shady mods to cheat at online games got through Microsoft’s security.
Microsoft and security is like oil and water. Things that will never –want– to be together and only are artificially. Microsoft Security IS and ALWAYS will be a joke.
On a related note. Microsoft and reliability … do I need to say anymore? I’ve been working with Microsoft and other companies software since 1982. You can EASILY find 50+ operating systems that do everything *MOST* people need to do. And they do it with far greater reliability and security.
The only reason why people keep using Microsoft is that they are scared to switch to something else. The only thing Microsoft is good at is marketing. And in this space, so far that is all that has mattered.
Keep people afraid to switch and you keep your market. Also do a lot of dirty behind the scenes work with hardware vendors and they are scared to go up against Microsoft. It makes the perfect horrible class 5 storm and everyone in its pass suffers far greater than they have any clue about since they don’t know anything else.
Ignorance is NOT bliss. Ignorance keeps people doing the same thing with the same results and they will never live better lives until they change what they are doing.
Spoken like a true self-righteous techie.
The reason most people use Microsoft is that there software runs on it, and PCs are cheaper than Macs. Heck, most people don’t even know they’re running on Windows, they know they bought an HP or Dell or whatever.
What the average user will ask when you propose these amazing new operating systems to them is something like this:
You: You should switch to Linux. It’s more secure and reliable.
User: Okay, will it run Microsoft Word and Adobe?
You: No, but there are alternatives that…
User: *walks away*
Most people don’t care what operating system they run. They care about the applications they like, or have to use. It’s that simple.
I suppose it’s amusing that Microsoft’s “Die Hard” fantasy of Windows 11 turned into a “Life of Brian” sketch.