[HN Gopher] Microsoft's out-of-date driver list left Windows PCs...
___________________________________________________________________
Microsoft's out-of-date driver list left Windows PCs open to
malware attacks
Author : bubblehack3r
Score : 60 points
Date : 2022-10-16 18:49 UTC (4 hours ago)
(HTM) web link (www.theverge.com)
(TXT) w3m dump (www.theverge.com)
| coredog64 wrote:
| I can no longer find the thread as this link has spammed Twitter
| search, but there was some drama earlier in the week about this
| same issue. Apparently some security researchers were unable to
| make the feature work and reached out to Microsoft. A Microsoft
| VP then condescended to their good faith questions and gave a
| weasel-wordy response that the fix for the feature is in the
| pipeline. However, if you're not aware of this specific issue,
| his response reads like the feature is enabled.
| detaro wrote:
| https://twitter.com/dwizzzleMSFT/status/1578478506337787905
| tinus_hn wrote:
| Windows 10 has for years automatically loaded a driver for
| certain Logitech webcams that adds a class driver to all media
| devices, which can't be loaded if you have the security turned
| up. So the result is you can't load sound drivers anymore,
| because the class driver which can't be loaded now is a
| prerequisite.
|
| I sincerely doubt anyone at Microsoft ever tests all those
| drivers that are shipped with Windows and the automatic driver
| loading service in Windows Update.
| pedro2 wrote:
| Wow. Just wow.
| rodgerd wrote:
| A reminder that "support arbitrary hardware" and "secure" is a
| really, really fucking difficult problem.
| bink wrote:
| Maybe. But identifying vulnerable drivers being used in
| prolific malware and providing a signature to block them isn't.
| gw99 wrote:
| I'm more worried that this is unsurprising to me now rather than
| it being an issue. The sheer amount of fragmentation, poor
| engineering, poor commercial decisions and quality issues that
| surround the Microsoft ecosystem is quite frankly at this point
| inexcusable.
|
| They really need to get themselves together on the Windows front.
| Actually all fronts. Even Office is a fucking shit show these
| days and that was the last bastion of common sense on the
| platform.
|
| As a former MS dev dating all the way back to the early 1990s, I
| don't own or work with their platforms as of 2021. My pain
| threshold isn't high enough. I implore the shareholders to kick
| the entire board out and install some people with good intentions
| and clue sticks.
|
| Until then I will be doing my absolute best to steer everyone I
| know away from the pain.
| rolph wrote:
| MS is looking a lot more like another advertising company, but
| the day late copy others method hasnt left them; its somewhat
| sophomoric.
| kevingadd wrote:
| A release Windows Update (not preview or Insider or whatever) a
| while back deleted my My Documents folder thanks to quality
| <unwanted Microsoft product> code. As far as I can tell, no
| improvements in quality culture or testing have occurred since
| that time, just a bit of a "mea culpa" over the small detail
| that Insider testers had been complaining and filing reports
| about "Windows Update deleted My Documents" and nobody looked
| at the reports.
|
| Another reason to make sure you have automated backups, I
| guess.
| yakubin wrote:
| Work forces me to use Outlook (the web version) and it's the
| worst mail program I've ever used. I repeatedly need to mark
| the same mails as read (last week I got a mail which kept
| marking itself as unread each time I switched to a different
| folder and back). A more minor, but still ridiculous, thing is
| that I can't create a top-level folder named "Calendar" (WTH?).
| But you'll be glad to know they localised this bug, so you
| actually can't create such a folder using the word for
| "calendar" in whatever UI language you chose. The default theme
| makes it really hard to distinguish mails which are read and
| which are not. I could go on and on.
|
| I have no idea how a company like Microsoft releases such a
| turd to the world. And supposedly they're focused on "The
| Cloud"(tm) now, not Windows. So it should be in a better state
| than Windows.
|
| When it comes to Windows, I love the overall kernel design. But
| when it comes to using the system, it seems to really lack
| polish. The myriad of little dysfunctional details (mostly in
| things which were added after Windows 7) just kills my ability
| to work with the system without getting angry at it.
| ocdtrekkie wrote:
| I assume this didn't get as high a level of scrutiny because it
| still fundamentally requires you admin-elevate the running of
| code from a questionable source. Sure a bad driver might claim
| it's from Dell, but it wasn't one you downloaded from dell.com so
| you probably shouldn't be trusting it.
|
| Raymond Chen has largely pointed out the position of Microsoft
| that if you authorize code to run with elevated permissions and
| it does things it can do with elevated permissions, it's not
| really a security flaw.
| Genbox wrote:
| I largely concur with Raymond Chen's reasoning on the subject.
| However, there are two distinct factors Microsoft does not seem
| to realize as problems:
|
| 1. There has been a precedent in Windows to run everything as
| local administrator. Linux has always had the user vs. root
| paradigm, but Windows - at least in the client versions - has
| always just defaulted to administrative accounts.
|
| 2. Features designed to provide more fine-grained control of
| token privileges, such as UAC, process integrity, and
| virtualization, have been excluded from security bug bounties
| as being "not a real security boundary". This stance is
| somewhat counterintuitive and quite dangerous.
|
| Combine those two with the fact that Microsoft never provided
| sane secure defaults for any of their software; it just goes to
| show that Microsoft is not concerned nor bothered with securing
| their software.
|
| That shifts the issue of "don't run as admin, stupid"
| responsibility from the user to Microsoft to a large extent.
| ocdtrekkie wrote:
| I think the core issue is Windows has always prioritized
| consumer usability, and that often, yes, means worse security
| defaults. I only finally stopped being an admin on my
| personal PC's main account a couple months ago, and I
| consider myself a security person. ;)
| [deleted]
| PeterisP wrote:
| Such drivers may enable local attacks like the Razer driver
| issue (one description at
| https://www.bleepingcomputer.com/news/security/razer-bug-
| let...) since plugging in a particular device (or, really, a
| cheap USB chip that will fake the proper device IDs) can
| automatically download & install the vulnerable driver.
| ocdtrekkie wrote:
| This isn't really true: Because it'll download the driver
| from Windows Update, so it'll serve the latest version.
| Obviously after the zero day is dealt with that will no
| longer happen. This is about a flaw that lets someone _with
| admin rights_ install an old driver which has already been
| replaced /fixed on Windows Update.
___________________________________________________________________
(page generated 2022-10-16 23:01 UTC)