New Windows Driver Signature bypass allows kernel rootkit installs
87 comments
·October 26, 2024fullspectrumdev
prettyStandard
This is a value system disagreement.
I have a theory that there's basically two types of disagreements, disagreements on definitions, and disagreements on value systems.
In this case Microsoft values downplaying this issue, so when that is at the top of their value system their decisions should make sense following that.
Since this is just a pet theory I'm very interested to hear critiques on it.
Disagreements on definition are a little bit easier, because then you can just talk about the definitions and resolve your differences there... For example let's say IDK You're trying to sort out how to design a software system, and everyone is speaking in terms of design patterns, but they haven't yet spelled out the details of what those designed patterns are, then that could probably lead to a lot of confusion if when you say A I think of A', and another person is thinking of A''.
Buttons840
I like this. I first noticed this with gay marriage. Some would say "gay people should be able to do what they want and form 'civil unions' with all the tax and contractual benefits and requirements of marriage, but they shouldn't be able to get 'married'". For these people, it was all about the definition of a word.
Other people opposed gay marriage because it went against their values. No matter what you wanted to call it, they were opposed to gay people living together and sharing their lives.
I chose this example because it's the first time I noticed that some disagreements are about the definition of a word, and it's an especially clear example of that. It's silly how huge disagreements about a single word can become.
There are also people who disguise their value disagreement as a definition disagreement. This is a form of bad faith arguing.
quotemstr
UAC in practice doesn't function as a security boundary, and to make it one would so inconvenience users that they'd just go to other OSes.
Both UAC and sudo are just OS level cookie dialog boxes. Let's get rid of all three.
We need to give up on the UAC/sudo/etc. style of user based privilege escalation and instead sandbox apps, not users, just like Android and iOS do.
tsujamin
> Both UAC and sudo are just OS level cookie dialog boxes
To be fair, that's misconstruing UAC and CredUI/Secure Desktop a little. There probably is merit in switching to an isolated desktop session when seeking consent, or user credentials, despite the fact that UAC/the AuthZ part within a user account has flaws. I think another issue is probably that most user's exposure to UAC is on machine's they're the sole user and administrator of; it's a different ballgame in enterprises where the end user is probably the least privileged principal logged into a particular PC.
Windows et al have Sandboxed apps, but which apps and which users should be allowed to do system-level confirmation type changes? iOS and Android are (for the most part) on single user devices, you still need some sort of AuthZ system to decide who and which apps can change what on multi-user systems.
tomrod
I'm not by any means a security guru. I understand some basics, but I think I'm missing a conceptual model somewhere. What is it about Windows that makes it so damn hackable?
throwaway48476
The problem is that windows was developed before security was important. No one has made the necessary investments to create a truly secure computing platform.
Ideally a secure computing platform would have reproducible builds built on public inspectable infrastructure like fdroid. It would also virtualize all untrusted applications in a sandbox and implement the least privilege model.
Today we have the worst security. There is unknown, probably untested and insecure code running at every ring, from the CPU's ME, to the UEFI components, to the OS 3rd party drivers.
SeL4 has a fully verified kernel but it doesn't do virtualization yet.
robocat
> windows was developed before security was important
I disagree - At best you could say DOS was developed before users knew security was important... Microsoft has explicitly ignored security since DOS - because functionality sells better than security. Anyone who has worked with Unix systems has always understood just how much of a sieve Microsoft OSes are. Anyone with wisdom has said that about Windows from the very very beginning. Windows anti-virus has been a thing for a very long time.
If your prior is the number of extreme security vulnerabilities in one year - the implication is that there are lot of undiscovered extreme security vulnerabilities.
And competent WaaS (Weaponisation as a Service) now exists to quickly deploy exploits for obscure weaknesses or recently discovered weaknesses. Users and companies no longer have a few weeks grace before mass exploitation occurs.
Use Windows, get pwned. The counterfactual is difficult: it is hard to prove you haven't been pwned... Anti-virus defence is often too late (plenty of examples eh!).
I've seen very careful users/developers get caught out again and again.
Not to say Windows is alone. Routers and other end devices are just as bad. And Android doesn't appear great to me either.
snvzz
UNIX entire security model is "ambient security" in operating systems literature.
Ambient security is a joke. Real security requires a capability-based model.
seL4[0] implements the mechanisms to do this efficiently. Lions OS implements an entire system with seL4 as core[1] leveraging these mechanisms.
morpheuskafka
> The problem is that windows was developed before security was important.
But wasn't that Windows rebuilt from the ground up as Windows NT, which had more advanced security features out of the box than basic Unix/Linux (allow/deny ACLs vs octal permissions, SAM database vs /etc/passwd flatfile, SIDs vs manually assigned/reusable UIDs)?
(And some other cool design features that never got used, like POSIX/OS2 subsystems being on equal footing as the "regular" Windows32 subsystem.)
mmooss
> But wasn't that Windows rebuilt from the ground up as Windows NT
That was the 1990s. Windows security was transformed in the 2000s and then with Windows 10. I'm not sure it can be said to be more vulnerable than other OSes.
pjmlp
The same can be told of UNIX, lets not forget the first worm was targeted at UNIX systems, and the root cause keeps being a regular CVE in C and C++ projects.
throwaway48476
Of course. A new secure computing platform would have to be built from scratch and from secure primitives that would not be backwards compatible with anything outside of virtualized emulation.
ddtaylor
When that worm was created Windows did not exist.
mmooss
> windows was developed before security was important
That was a long time ago, the 1980s and 1990s. Windows has been transformed since then, particularly with Windows 10.
snvzz
>SeL4 has a fully verified kernel but it doesn't do virtualization yet.
It very much does virtualization. And, as far as I am aware, it does it better than any other OS.
Incidentally, seL4 just had its seL4 Summit 2024[0].
0. https://www.youtube.com/playlist?list=PLtoQeavghzr0ZntMmRPwg...
gjsman-1000
> Ideally a secure computing platform would have reproducible builds built on public inspectable infrastructure like fdroid. It would also virtualize all untrusted applications in a sandbox and implement the least privilege model.
Also, be careful what you ask for. Such a system would likely require Secure Boot to be enabled a-la Android, complete with userspace detection of a system which does not have Secure Boot enabled, for DRM implementations similar to a game console. We're already close, but UEFI bugs, virtualization, hundreds of TPM variants, and bus attacks have left holes.
nwellinghoff
Can’t believe people have not pointed out the biggest reason of them all. Its the most widely deployed desktop os across rich targets (corporations). A lot of time and investment goes into cracking it.
ddtaylor
There are more computers running Linux on this earth by orders of magnitude.
kryogen1c
>> Its the most widely deployed desktop os across rich targets
>There are more computers running Linux
You did not address the claim you replied to. Users get compromised, and users use windows desktop.
The number of DB clusters or whatever running *nix isn't relevant.
gjsman-1000
> There are more computers running Linux on this earth by orders of magnitude.
Yes, but most of them aren't running GNU and have signed boot with no ability to disable it. Very shallow victory. Could turn into FreeBSD tomorrow, and very little ground would be lost.
Jerrrrrrry
Why are all the billionaires using iPhones if they keep getting 0-day'd?
Shouldn't billionaires know to not use iPhones?
Also, isn't it weird that trains don't disappear like boats and planes do?
Maybe trains did disappear, and they are in the ocean, and no one thought to look for them there. And we didn't notice, because they disappeared?
(This is snark, and will still go over the head of most regardless if you knew what "observational bias" was)
throwaway48476
For a while apple had better security. Now it's more even, if you go by the 0day prices. There's not a lot of truly secure options unless you wanted to develop your own phone from the ground up.
cruffle_duffle
Wait until all those regulations requiring apple to allow different app stores come online and then we will see how secure iOS is. The day Joe Clicks-A-Lot can follow a link in some random pig butchering scam email then “legally” sideload and run whatever crazy weird goop happens to be at other end will really put things to the test.
Because letting Susie Easy-To-Phish install anything and everything on her iPhone is going to make things very… interesting.
That being said, Joe and Susie can already do that on android right?
robhlt
The prevalence of 3rd party kernel-level code is an important factor too. Lots of windows malware relies on a vulnerable 3rd party kernel driver at some point.
By comparison, 3rd party kernel modules are rare and looked down upon on Linux and outright banned on macOS.
makeitdouble
To note, Windows isn't allowed to completely block third party kernel code.
I don't have the reference at hand but it was part of their various anti-trust fallout, as it would give them an unfair advantage regarding to their own products.
PS: an analysis of that situation during the Crowdstrike issue, with the relevant bits of the EU ruling: https://www.computerweekly.com/news/366598838/Why-is-CrowdSt...
spockz
What might be enough is to have windows required to boot in a “install” mode before 3rd party kernel code can be added.
camus_absurd
Not banned, you just have to go through some hoops to enable installation of third party kernel extensions
high_priest
From my experience, it's that users are administrators by default. And it is super easy to convince them, to run anything with elevated permissions.
rockskon
The alternative to that is Android and IOS where we don't have full control over our own devices unless we jailbreak them, which itself breaks so many critical apps on the mobile device stores that it's frequently not worth it to root the device.
No - the problem here is moreso the sheer complexity of Windows and the variety of devs involved and the push for backwards compatibility.
SoftTalker
As if most linux users aren't also in the sudo group?
graemep
There are multiple ways to set things up in Linux. You can use sudo, or you can have a separate root user.
I have not used Windows enough in recent years to know, but there may be differences in what you need to enter your admin password for, which may make users less suspicious when asked. On Linux distros I have used the only regular operation on a desktop that requires it are software installation and updates updates, which has a well defined UI and comes after a specific user action.
tempest_
If you want to include anyone with an android device as a linux user then most of them are not.
advael
It'd be a lot less easy if the OS didn't seem to require full privilege escalation for a lot of tasks you don't need that for in linux. One of the major problems that leads to escalation is poor separation of concerns
tredre3
What action requires admin escalation on Windows but not on Linux?
card_zero
Is that different from sudo?
NekkoDroid
Well, the main difference is that one you just click "yes" and the other you usually need to enter a password.
Then there is also polkit, which does something similar to sudo, but for a different usecase (authenticating unpriviledged process access to a priviledge process). Polkit to my knowledge can differentiate between actions to "always allow", "requires confirmation" (press yes) and "require password".
ajross
The exploit under discussion is an attack on Windows Update, it doesn't AFAICT involved running privileged code as the user. Also the default Windows user has been non-Administrator for many years now. It's true you can fool users into elevating a shell or whatever, but that's true for pretty much all platforms.
ethbr1
I'm happy to complain about Windows, but I will say their progress in converting their ecosystem to user-by-default with elevation prompt warnings has been impressive.
Especially when they had to drag their developer community kicking and screaming to it. (in Windows Vista ~2006)
Afaicr, there's also a neat bit where the lock screen and UAC prompt actually run under an entirely different, privileged and restricted session (than the normal one the user is interacting with and running programs in).
Ref: https://learn.microsoft.com/en-us/windows/security/applicati...
Apparently now termed the "secure desktop", it's transparently overlaid on top of the user desktop whenever you see a prompt.
Hilift
The driver signing blacklist file DriverSiPolicy.p7b had not been updated for years. It took a CERT analyst (Will Dormann) to ask why in 2022. It's being updated regularly now, but WTF. https://www.bleepingcomputer.com/news/microsoft/microsoft-fi...
peppermint_gum
What makes you think that it's "so damn hackable"?
Also, this particular attack requires administrator privileges and bypasses a security boundary that doesn't even exist on e.g. Linux. Linux doesn't have driver signatures and root can easily install a new kernel module.
formerly_proven
> Linux doesn't have driver signatures and root can easily install a new kernel module.
Linux supports signed kernel modules (and not just on paper, this is a widely deployed feature).
ddtaylor
Linux also has SELinux, root can't do everything there.
NekkoDroid
Yep, when booting with secure boot the kernel won't load any unsigned drivers.
mrinfinitiesx
Just a quick look at 2024's CVEs, 0days for Windows is a security nightmare. Not singling out Windows specifically, but they have a lot.
Browsers only just recently patched browsers being able to be served javascript that scans local devices on 10.* and 192.168.* etc hitting IoT devices with exploits and payloads, hell even hitting open listening sockets on localhost and 0.0.0.0 -- that's cross platform, how many years did that go under the radar?
And now Windows is getting 'Recall' which will monitor and scan your every PC action to remember it for you using ML; I don't see that going back at all /s
gruez
>Browsers only just recently patched browsers being able to be served javascript that scans local devices on 10.* and 192.168.* etc hitting IoT devices with exploits and payloads, hell even hitting open listening sockets on localhost and 0.0.0.0 -- that's cross platform, how many years did that go under the radar?
Ironically windows was not hit by that, but the "secure"(?) operating systems of mac and linux were.
mardifoufs
What do you mean by hackable? I can't really see how other operating systems (say, Linux+any distro) are more secure than windows fundamentally?
pcdoodle
IMO: The backward compatibility and lots of hands touching many moving parts.
jsheard
Yep, the almost impenetrable security of the last few Xboxes shows that Microsoft does have it in them to architect a very secure platform, even against physical attacks, but they don't have the luxury of doing such a clean-slate design with Windows. They can almost never afford to break backwards compatibility and the Xbox approach of running each instance of legacy software in its own fully isolated virtual machine wouldn't really scale to a multitasking environment.
For those not keeping score, the Xbox One only recently got a very limited jailbreak a decade after release, that only works on old firmware and only allows access to the innermost level of sandboxing, with the outer system sandbox, hypervisor, bootloader and optical drive handshake remaining unbroken to this day.
throwaway48476
The Xbox is 'secure', but against the user. There are a great many PC's out there that this model doesn't work for.
the_arun
Hard to believe Microsoft is disagreeing when there is a demo.
In that Vimeo account there are ton of other security discoveries. Eg WhatsApp running python script. Is this real or scam?
9029
Well the demo is showing a crossing of something that ms has defined to not be a real security boundary: "Administrative processes and users are considered part of the Trusted Computing Base (TCB) for Windows and are therefore not strong isolated from the kernel boundary." [0]
Another recent case: https://arstechnica.com/security/2024/03/hackers-exploited-w...
[0] https://www.microsoft.com/en-us/msrc/windows-security-servic...
morpheuskafka
On the Linux side, SELinux which sets guardrails on the root user at the kernel level is mandatory for protecting classified information. Thus, there is most certainly a security boundary between root, let alone regular users with "admin" groups/perms, and the kernel.
How can Windows, which is used all over the government, have a policy that admin users can do whatever they want with the kernel without it being a security vulnerability?
thrtythreeforty
I'm kind of with Microsoft on this one: the administrator can do arbitrary things to the computer, film at 11. Is there a nuance that I'm missing that raises the severity of this?
See also Raymond Chen's summary of this class of attack:
https://devblogs.microsoft.com/oldnewthing/20060508-22/?p=31...
quotemstr
It's also interesting how on both Windows and Linux normal-privilege local accounts are, practically, root equivalent. In Linux, we train people to type "sudo" in front of anything system relevant. On Windows, we train users to click through UAC prompts. When was the last time sudo said "no" to somebody for a reason other than a password typo?
(UAC is marginally better than sudo: UAC is system managed UI, while sudo is just a program. An attacker can plug in a malicious shell alias for sudo and steal your password.)
IMHO, it'd be more convenient for users and more reflective of actual security posture to get rid of both sudo and UAC (in the default setup of course) and stop pretending that there's a firm security boundary between root and the primary human local user account.
adrian_b
On Linux, I do not install sudo, because I do not need very often to become root, and when I need that I usually want to do multiple operations.
I believe that "sudo" is useful only on multi-user computers (including company-owned and company-managed computers), where the administrator may want to give to some users the power to do only a restricted set of privileged operations.
I always use a different user account than root, mainly not for security, but to avoid any accidental mistakes, when I could delete or overwrite other files than intended.
I believe that this is a good enough reason to justify the need to type infrequently a password in order to change roles.
a2128
On Linux, most modern user-facing applications are using polkit instead of sudo. You can actually just use pkexec instead of sudo in the terminal as well.
Instead of just running arbitrary commands as root, applications can use specific pre-defined actions like "org.freedesktop.udisks2.filesystem-mount". This shows a nice localized message to the end user about what the app is trying to do, so they can decide whether to allow it or not. The system administrator can also configure certain actions to not even require authentication, useful for e.g. flatpak updates, or to block certain actions altogether.
quotemstr
So the kernel is enforcing file sharing rules (mandatory locking, in effect) by scanning on open all open file handles for conflicting mandatory locks, but doesn't check for memory mappings of these files with conflicting permissions. Oops. Seems like a straightforward fix though.
It's worth noting that Linux just got rid of its last vestige of mandatory locking. Now you can write a loaded executable without getting EBUSY. Interesting how exactly the same feature on one OS can be a load bearing part of the security infrastructure and on another OS legacy crud to be deleted.
bubblesnort
> possible by gaining kernel code execution as an administrator
> The researcher published a tool called Windows Downdate
ajross
Seems like the attack is suspiciously simple: Fool the update process into installing old versions of kernel components with known vulnerabilities. I'm no expert, but surely MS has already thought about this and has a blacklist or revocation facility or whatever?
Is the root cause here an OS design issue or just a process failure where they failed to note the broken/bad hashes in the correct spot? The latter is much easier to fix, but the (slightly spun, as always) security announcement seems to claim the former.
SoftTalker
Maybe they have to allow downgrades because enterprise users will insist on being able to downgrade if an update breaks something?
marcosdumay
Windows automatically downgrades when an update breaks everything...
And then schedules the update again...
What is a fairly common thing to happen...
TheRealPomax
it also allows tampering with Windows 11 to actually make it a better OS because it bypasses all the Microsoft lockdown bullshit, but let's focus on the rootkits instead.
Sakos
I've noticed that a surprising number of people here on HN are in favour of locking down Windows and preventing any kernel access at all to Windows users. It reeks of the "think of the children" arguments.
mrinfinitiesx
The owner of this website (www.bleepingcomputer.com) has banned your IP address (IP)
K.
edit: VPN, ssh -D to vps & socks5 localhost worked. Can't have anything anymore.
alpaca128
If you have a dynamic IP it was probably banned because of someone else who had it in the past.
worewood
With widespread CGNAT and the exhaustion of IPv4 addresses this will become more and more common each day...
dkasper
Haunted IPs are a thing, same as the haunted domains article also on the front page right now! https://news.ycombinator.com/item?id=41951131
null
So what’s interesting is MS say that UAC isn’t a security boundary. Which is some users to admin.
Then they say admin to kernel (in this case) isn’t a security boundary.
While also saying that driver signing enforcement is a security feature.
Which is what’s being bypassed here.
But they claim in this case it’s not crossing a security boundary.
Please make sense.