Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Windows Operating Systems Software Technology

Microsoft: Windows 10 Devices Open To 'Full Compromise' From Huawei PC Driver (zdnet.com) 112

According to ZDNet, researchers at Microsoft have discovered a buggy Huawei utility that could have given attackers a cheap way to undermine the security of the Windows kernel. From the report: Microsoft has now detailed how it found a severe local privilege escalation flaw in the Huawei PCManager driver software for its MateBook line of Windows 10 laptops. Thanks to Microsoft's work, the Chinese tech giant patched the flaw in January. As Microsoft researchers explain, third-party kernel drivers are becoming more attractive to attackers as a side-door to attacking the kernel without having to overcome its protections using an expensive zero-day kernel exploit in Windows. The flaw in Huawei's software was detected by new kernel sensors that were implemented in the Windows 10 October 2018 Update, aka version 1809.

The kernel sensors are meant to address the difficulty of detecting malicious code running in the kernel and are designed to detect user-space asynchronous procedure call (APC) code injection from the kernel. Microsoft Defender ATP anti-malware uses these sensors to detect actions caused by kernel code that may inject code into user-mode. Huawei's PCManager triggered Defender ATP alerts on multiple Windows 10 devices, prompting Microsoft to launch an investigation. [...] The investigation led the researcher to the executable MateBookService.exe. Due to a flaw in Huawei's 'watchdog' mechanism for HwOs2Ec10x64.sys, an attacker is able to create a malicious instance of MateBookService.exe to gain elevated privileges. The flaw can be used to make code running with low privileges read and write to other processes or to kernel space, leading to a "full machine compromise."
Long-time Slashdot reader shanen writes: Though the story features Huawei, there doesn't seem to be anything specific to that company there. Just innuendo that you can't trust Chinese companies, eh? "Don't throw your computer into that Chinese briar patch!" Anyway, the sordid reality is that Microsoft is the root of all evils in the Windows platform. If increasing security had been half as important as maximizing profits, then we'd be in a much better world today. All complicated software is buggy, but adding complexity for no good reason is just begging for more problems. Here's a crazy solution approach: Any OS feature that isn't used by a LARGE majority of the users should be REMOVED from the OS. Maybe that isn't strong enough. Maybe the OS should be strictly limited to what absolutely needs to be there. Guard those eggs carefully!
This discussion has been archived. No new comments can be posted.

Microsoft: Windows 10 Devices Open To 'Full Compromise' From Huawei PC Driver

Comments Filter:
  • by UnknowingFool ( 672806 ) on Tuesday March 26, 2019 @08:11PM (#58339162)
    Personally I’m highly suspicious of Huawei and I don’t think this was a flaw. “Intended design” is what I suspect is a better description.
    • Re: (Score:2, Redundant)

      by Gravis Zero ( 934156 )

      Well it certainly doesn't help their argument of having "no backdoors" in their 5G equipment.

    • by Tablizer ( 95088 )

      It would be fair to apply Hanlon's razor. Companies are quite often sloppy with security.

      • by shanen ( 462549 ) on Tuesday March 26, 2019 @09:40PM (#58339424) Homepage Journal

        It would be fair to apply Hanlon's razor. Companies are quite often sloppy with security.

        For additional context, "Never attribute to malice that which is adequately explained by stupidity." https://en.wikipedia.org/wiki/... [wikipedia.org] just references "human behavior".

        It isn't clear if you [Tabilizer] mean Microsoft, Huawei, or any just company that does something so stupid it seems malicious. Like Boeing in today's news.

        As regards the narrow topic of fake vulnerabilities versus real mistakes, in previous variations of this topic I have suggested some of the desired features a planned security attack should have. Being implemented in visible code is NOT one of them. If the vulnerability can be discovered (as this one was), then only fools would rely on security by obscurity.

        (1) "Security by obscurity" is widely regarded as a dead horse.

        (2) Does anyone regard Huawei's engineers as a bunch of fools who would try to ride a dead horse?

        We cannot completely rule out the possibility that it was a deliberately implanted flaw. In such a case, it would only be natural to limit the development team, increasing the likelihood of a "flaw in the flaw". In this story, a "flaw in the flaw" that led to detection. However it would be extremely foolish if Huawei had not subjected the code to careful scrutiny by a large team of experts, because Huawei knows that ALL of its code is going to get expert scrutiny.

        BtW, I believe that most of the desired design-level features to support effective security breaches would be to create ways for attack code to be added only when needed and in ways that would cause the attack code to disappear if any suspicion was aroused.

        • by Tablizer ( 95088 )

          We cannot completely rule out the possibility that it was a deliberately implanted flaw.

          I don't dispute that. It's about not making intentional malice the default assumption without more solid evidence.

          • by shanen ( 462549 )

            Still not clear about your references. There is not much context before your initial brief comment, and you didn't provide more in your reply to my extracted sentence (on the scope of "adequately").

            The original bizarrely moderated comment was certainly not helpful, though you accepted the Subject: as relevant. I regard it as merely a pale acceptance of the possibly misleading headline.

            • Well, I was less than entirely convinced by that comment of yours which made it to the story description, in particular because Microsoft had added some security functionality which immediately flagged the problem.
              The other main commercial OS is Apple and they avoid this kind of problem by providing the hardware themselves. That is not an option for Microsoft.
              Linux is moving away from non-GPL'd modules, a decision - which like Microsoft's here - is partially mandated by security considerations.

              • by shanen ( 462549 )

                I'm not even sure how much of the original story description was based on my original submission, though I could research it. Pretty sure the original version must exist somewhere...

                However my original impression when I saw the story was basically "You could say this about any serious security flaw, but they are playing up the Huawei name, either for cflickbait or propaganda." My later comment is a more clear analysis of my position, and I'm sure that one wasn't edited, though I could have messed it up in h

        • by dissy ( 172727 )

          Does anyone regard Huawei's engineers as a bunch of fools who would try to ride a dead horse?

          Well, yes :P
          But seriously though, I agree this is almost certainly just a mistake/flaw.

          One thing I have noticed time and time again, people/teams that are strong at designing hardware are generally utter garbage at designing software, and people/ teams that are strong at designing software are generally utter garbage at anything hardware.

          Each of those is a vast superset of knowledge, skills, and many subsets that are highly specialized in their own right.
          It is the exception instead of the rule to find a wel

          • by shanen ( 462549 )

            Complicated comment, but I think I mostly agree with you. I do think you could have made a couple of points more clearly.

            Some parts of your comment are actually related to a longish comment I just wrote about "Clippy", so help me gawd. Essentially I'm saying the OS should stay out of my way. Clippy's mortal sin was the opposite, since Clippy was constantly getting in the way, but the underlying idea was actually a good one.

            I would say that what we have now is the worst of all possible worlds. We have just a

      • by raymorris ( 2726007 ) on Tuesday March 26, 2019 @09:47PM (#58339446) Journal

        Malice, negligence or just "shit happens", low-level hardware drivers are a problem. The protection is pretty much the same no matter how the vulnerability got there.

        Hardware drivers and the kernel require powerful capabilities - and are responsible for ENFORCING security policy. Since they control security, they can't be controlled by it.

        At one point people developed the idea of the microkernel as a theoretical way of reducing the attack surface. In practice, that evolved into virtualization - the hardware drivers being separate from the application software, to the extent of being two separate operating systems. Virtualization gives a good layer of security (though nothing is perfect).

        Another good solution is exemplified by USB 2.0, where the hardware driver is stored within the hardware itself, as firmware, and totally separate from the operating system. The OS trusted driver needs only be a generic driver that an talk to that class of hardware via a standard interface protocol.

        Thunderbolt goes the opposite way, exposing your PCI-E bus to externally connected devices, giving them the same level of trust as internal parts.

        • by gweihir ( 88907 )

          Indeed. Drivers are trusted. That means they can break your security and there is nothing that can be done about it. As to malice, that seems highly unlikely, as this issue would have been better hidden. In particular, the attacker would have made sure these "sensors" do not detect it. A placed backdoor loses most of its worth after it has been found. No, this is just a regular screw-up that stems from the fact that the world still has not learned that software is hard and that people doing it well need tal

          • As to malice, that seems highly unlikely, as this issue would have been better hidden. In particular, the attacker would have made sure these "sensors" do not detect it.

            I have to point out that the "sensors" were new, so malice is still an option. Of course there were beta versions of Windows Update 1809 before the actual update came out, a true malicious operator would have had time to attempt an update to the driver to at least hide the side-door.
            fwiw, I'll vote for a screwup.

            • by gweihir ( 88907 )

              Huawei will have access to all previews and likely is part of a select small group that gets them even earlier, so that is not a very strong argument. As malicious actors can be incompetent too, it is not a worthless argument, just weak. But Hanlon's Razor has stood the test of time and is usually right.

        • Hardware drivers and the kernel require powerful capabilities - and are responsible for ENFORCING security policy. Since they control security, they can't be controlled by it.

          Can't the drivers be constrained by the combination of MMU and IOMMU?

          • Can a device driver access your hard drive? Yes, that's what the sd and ahci drivers are FOR. If the sd driver couldn't access your block devices, how would anything access them? If the ahci couldn't access your SATA controller, you couldn't use your SATA controller.

            Can device driver's access your network card? Pretty tough to use a network card if drivers can't read it, write it, and otherwise control it.

            So the hardware drivers must, at minimum, have access to and control of your hardware - and therefore

            • So the hardware drivers must, at minimum, have access to and control of your hardware - and therefore all your data.

              No. Each individual driver needs access to and control of one piece of hardware. You're grossly misstating the case.

              Yes if you design a system where (really slow) device drivers run as separate processes, you could use the MMU to limit which *memory* it has access to, but still drivers have control of hardware.

              Um, yeah, that's what the IOMMU is for. All modern PCs have them.

              • Okay, Mr. Kernel, does the driver kbdray handle a Microsoft Natural keyboard? By the way, that driver is newwer than the kernel.

                Go ahead and take your time answering, I'll wait.
                .
                .
                .
                .
                .
                .
                .
                .
                .
                .
                .
                .
                .

                How can a kernel (from last year) figure out what hardware is supported by a driver (which was written last week)? Where is the code that knows which hardware is supported by that driver?

                The driver knows which hardware it supports! The kernel figures out which driver goes to which hardware by asking the driver. On L

                • My point is that the driver shouldn't be allowed to access memory it doesn't need access to, whether it's on the bus or in the main memory. I'm not trying to tell you about the driver. If Microsoft wants to provide value, that's a place they can get involved.

      • Why not instead apply the Silicon Valley Razor?

        "Never attribute to incompetence that which can be sufficiently explained by malice."

        Yes, I know Huawei is not based in Silly Valley. Nevertheless I suspect the Razor is valid in their case too.

    • Personally I’m highly suspicious of Huawei and I don’t think this was a flaw. “Intended design” is what I suspect is a better description.

      I could make the exact same claim for every flaw in Microsoft Windows, Google Android and Apple iOS, those are “Intended design” to make it easy for the NSA to spy on the rest of the world.

  • Wait up there, Windows 10 is compromised by default. It includes software that invades your privacy, analyses your data and your internet access and does not inform you what it sends and specifically purposefully has been done in a way to block users for turning it off reliably (they shit cunts routinely turn it back on, purposefully). It forces the install of programs without user choice and that includes altering defaults, running advertisements and basically turning over control of that 'NOT-personal com

    • by clay_buster ( 521703 ) on Tuesday March 26, 2019 @08:39PM (#58339222) Homepage
      None of your comments have anything to do with the problem that Microsoft found. The folks in Redmond have put a lot of work into Windows 10 security while trying to retain the current partner ecosystem and backwards compatibility.
    • by Aighearach ( 97333 ) on Tuesday March 26, 2019 @09:20PM (#58339354)

      Those things are all features that Windows users intentionally choose.

      It doesn't excuse Huawei backdooring them without their permission. And it doesn't excuse "Long-time Slashdot reader shanen" for defending the practice with a bunch of weak propaganda.

      Their software is dangerous, their hardware is even more dangerous. I don't run Windows, but I sure as hell don't want their hardware or software on networks that my data has to traverse.

      • by Anonymous Coward

        Users did NOT choose for Microsoft to unilaterally fuck over the software stack to fuck over their captive audience.
        How stupid do you think we are?

      • by shanen ( 462549 )

        Project much? Total ignorance of Microsoft's marketing?

        Or just another case of having nothing to say, you insist on saying nothing?

        Go ahead. Please try to write something to convince me you have sufficient intellectual integrity to engage in an actual discussion of computer security.

        • You're the one making bullshit conspiracy theorist claims that make you sound like a Stallman sockpuppet, so I think the onus is on you to prove you understand computer security, as opposed to being online Linux fanboy #10554546.
        • Computer security is difficult. Everything that's a flaw is exploitable--to some degree.

          Plurality voting allows us to run clones. A 44% candidate is a winner because the other two mains split the vote 44-32-24. We can exploit this: 44% can have a friend run as a clone of 56%, who only needs to take a bit over 13% of the vote to make 44% win.

          Majority-runoff and Instant Runoff Voting suffer a more-complex flaw exemplified in Bulington, Vermont's 2009 Mayoral election. Given candidates A and B, wherea

          • by shanen ( 462549 )

            Your transition from computer security to voting systems is too rough and I am unable to follow why you think it is relevant in that form, notwithstanding the long explanation.

            Are you trying to say that users should not be allowed to vote for the features they want (because voting is complicated)? If so, then I just wrote a long comment about that topic (of the users' selections of features and functions). Search for "Clippy", so help me gawd.

            I'll just summarize it briefly here: Your OS should be rather alo

            • Are you trying to say that users should not be allowed to vote for the features they want

              No, I'm using vote tallying rules as an example of systems which we can manipulate, e.g. by adding candidates and adjusting campaign strategy. The point of adding candidate C isn't for C to win; it's to make candidate B lose so candidate A wins.

              Systems aren't built to be insecure; they just get that way, mainly by negligence. Diligence still produces insecure systems, but the flaws are harder to find, less frequent, and often difficult or impossible to exploit for controlled outcomes.

              I can design a m

              • by shanen ( 462549 )

                I'm pretty sure that one part of your position could be stated more clearly based on Godel's Incompleteness Theorem. The statements in question are the security characteristics and properties of the system, and the OS itself would be regarded as the sufficiently complicated language. By applying the theorem, you know that there are always statements about the system and parts of the system that you cannot prove, which means you cannot know if the security statements are true or not, but you also know that y

                • You're still describing a lot of code at rest that isn't doing anything, and your solution is to take the at-rest code away, then re-introduce it whenever it's called. There won't be a thorough evaluation of that re-introduction, and it's a new place to plant modified code. Nothing's changed except how many dialogues the user has to occasionally click through without the technical expertise to know whether or not there's a threat.

                  • by shanen ( 462549 )

                    Still don't seem to be communicating effectively... Mostly I'm focusing on increasing the difficulty of the targeting for the attackers. The monolithic approach basically insures every part of the OS is always there and ready to be attacked. Diversity is a good thing, while uniformity is basically a standing invitation for the Warhol worms...

                    • The monolithic approach basically insures every part of the OS is always there and ready to be attacked

                      That's not actually true.

                      Your attack surface is only what is exposed to attack. If you have nvidia device drivers loaded into memory but you don't have an nvidia video card, you can't trip a security vulnerability in the nvidia device driver because any calls to video operations will go through the Intel or AMD drivers.

                      To make a piece of code vulnerable to attack, that code has to first run. Unused code can't expose security vulnerabilities; a vulnerability can jump to unused code if it's already tak

        • Please try to write something to convince me you have sufficient intellectual integrity to engage in an actual discussion of computer security.

          No thank you.

          I intentionally phrase my comments to be abrasive to people who judge the person, instead of the idea. It is a form of IP protection that works entirely by mutual consent; People who are not authorized to consider the ideas I stated, or implied, are denied understanding. By themselves.

          I have no motivation to convince you of anything about myself other than that I'm a flawed messenger. And that is enough to reserve knowledge and understanding to the you from being able to understand my point. Yo

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Windows 10 is *the* reason I finally switched to Linux for my home PC.

      Unfortunately, I can't fully escape it. All the tax software applications that run on your local PC and allow you to keep control of your files (so your tax return isn't stored on a third-party server for 7 years), run exclusively on Windows or Mac. I need such software, and for something as important as taxes I don't feel comfortable relying on WINE, so I will have a windows 10 laptop for that purpose next year.

      Also, we use windows 10

      • I run virtually everything on my Linux machine - just some tax stuff on Windows 7 - but recently came across a flaw in that approach. I have to read PDFs, sent in by a variety of people who produce them in several different ways. My PDF reader of choice - Okular - failed to read many of the PDFs correctly, something I only discovered after pushing them onto a stick and looking them using Acrobat Reader under Win 7.
        Yes, I'm aware that this problem was created by Adobe. They created a safe document format

      • Comment removed based on user account deletion
    • by shanen ( 462549 )

      Never receiving a mod point, I can only add "Mod this up".

      However, that is also biased because I think I wrote roughly the same thing, but less well. I certainly think I've seen evidence to support it even beyond my paranoia.

  • Flawed assumption (Score:4, Interesting)

    by xonen ( 774419 ) on Tuesday March 26, 2019 @09:17PM (#58339336) Journal

    Here's a crazy solution approach: Any OS feature that isn't used by a LARGE majority of the users should be REMOVED from the OS. Maybe that isn't strong enough. Maybe the OS should be strictly limited to what absolutely needs to be there. Guard those eggs carefully!

    While this looks to make sense at first sight, it is flawed.

    Suppose there are a 100 functions that less than 5% of the users use. Removing each of them will only affect 5% of the users. Removing all of them might affect nearly 100% of them users, as each of them needs another feature to work.

    I do agree on MS' bad reputation when it comes to security, but even that was not the root cause here. Their driver approval process needs might need more attention.

    Or maybe something absurd as, say, open-source drivers? Ideally the whole kernel and driver stack would be OS. Maybe in the future law will require such, for safety and accountability. They can keep their other junk like office closed afaic.

    • Or maybe something absurd as, say, open-source drivers?

      Well, if you call it a MATEbook, I expect it to run Linux with the MATE desktop environment.

    • Subject: is a joke,but I can only clarify with a thought experiment that Microsoft probably tried and failed to implement. So help me gawd, but I actually think the idea underlying Clippy was not bad. It couldn't be done at the time, and now the entire approach has been tainted. If there were more "real" players at the OS level I think someone would have implemented it by now.

      The OS should be quite aloof from what you want to do. The OS should be primarily a facilitator for applications. At the meta-level,

  • Microkernels (Score:2, Insightful)

    Microkernels are looking better all the time.

    • Why were they looked down in the first place?

      • Because they are slightly less efficient. Maybe 10%.

        And nobody would tolerate a computer that is 10% slower just because that is secure.

        • by Anonymous Coward

          Microkernels provide some isolation to mitigate the problem, but they don't provide total security.

          The driver for the crappy USB multi-function device is a separate process from the filesystem driver process, so it's safe, right? Just imagine that a bug in the crappy USB device's UI allows you to send commands to the device that trigger a bug in the filesystem driver that manifests a code injection vulnerability. Now you are running code in the filesystem driver so it's game over. You can read and write eve

        • by jrumney ( 197329 )
          Instead we run anti-virus to hopefully catch some of the problems that might slip through the insecurities. How much overhead is that you ask?
    • Microkernels are looking better all the time.

      Really?? Microkernels are just Microaggressions to a Monolithic Kernel, which is doing the best that it can with what it's given. Why are you so eagerly supporting bullies?


      /sarc, if you didn't notice.

  • Any OS feature that isn't used by a LARGE majority of the users should be REMOVED from the OS

    Good one. How about, instead, people who don't have use cases that require a very flexible OS should stick to iOS?

  • by Waccoon ( 1186667 ) on Tuesday March 26, 2019 @10:38PM (#58339544)

    Long-time Slashdot reader shanen writes:
    Any OS feature that isn't used by a LARGE majority of the users should be REMOVED from the OS.

    Yeah... fuck you. Every piece of software is being gimped like crazy to cater to the lowest common denominator, and features I need are being wiped out every day in the name of improving my experience. Microsoft already requires signed drivers, so whatever happened here is purely a political problem, not a technical one.

    If Huawei is installing some stupid "helper" that fucks up the machine, I won't buy a Huawei. I'll build the machine myself and use an OEM copy of Windows, just as I have been doing for the last 20+ years. The last thing I want is for Microsoft to lock down the system even more to ensure I have even less control of my machine.

    For the record, I stopped upgrading at Win7. I won't touch Win10 with a barge pole.

    • by AmiMoJo ( 196126 )

      Signed drivers are a good thing, they stop random malware installing drivers on your system. Defence in depth.

      They actually improve the quality of some products too. For example if you want to make a new USB widget you have a choice: custom driver that has to be signed and requires a UAC prompt to install/update, or use one of the build in drivers like WinUSB or HID. That encourages manufacturers not to make their own crap drivers.

  • If increasing security had been half as important as maximizing profits

    FIRST you make it work, THEN you make it faster, and ONLY THEN you fix the security.

    Right? You get first / early to market your product and you make it faster and better as people accept and purchase it. Once you've got a large enough customer base who "can't live without it" you hit them up for the security charges. If you had done that at the beginning, it would have cost more and been released later to the detriment of sales.

    Besides, if you'd really wanted security you would have purchased a diffe

  • by LostMyBeaver ( 1226054 ) on Wednesday March 27, 2019 @12:51AM (#58339828)
    Please feel free to visit the latest Linux Kernel tree (or any for several years) and audit the code for the included ESXi drivers (memory management and network specifically) as well as the Cisco VIC network and SCSI driver code.

    It took me an average of 3 minutes between finding attack vectors thanks to VMware's half-assed code that should have been completely rewritten years ago. Now, if you can't find a vulnerability using the ESXi drivers in the Linux code base, you probably shouldn't be allowed near a computer.

    The Cisco VIC adapter code is so much better... you not only can find endless numbers of vulnerabilities, but you can actually upload entire new operating systems to the VIC adapters in nearly all Cisco servers (especially HyperFlex) and you can even change the boot firmware by disabling authenticity checks in the driver code. The end result being that you could easily permanently place undetectable backdoors that would require hardware replacement to correct into the VIC adapter.

    Even better... as a bonus, I'm quite confident that it is possible on VMware from a guest machine using VMFEX network adapters with Cisco VICs, it should be possible to change the hardware firmware of the VIC adapters ... which include entire built-in processors for SCSI and RDMA... so that you could pretend to be one of the VMs and communicate to anywhere you want and even issue SCSI requests to the SAN directly over network protocols that can't be monitored on Cisco switches.

    None of this is intentional... it's all because no one takes the time to clean up after their own messes.
    • by AmiMoJo ( 196126 )

      Did you report those vulnerabilities to anyone? VMware has an email address (security@vmware.com) you can use. Are there any CVEs we can look at?

    • by Anonymous Coward

      Well, I do databases and high-level back-end dev for a living. If I saw the code I doubt I'd find vulns as you claim to be able to, in the same way you wouldn't have the first clue how to tune a DB. Should I not be allowed near a computer?

      But then you didn't post links to the relevant bugs you claim to have found so go on, it'll only take you 3 minutes to find one, so post us a couple. It'll be very quick so go on, actually show us the goods instead of blagging.
      captcha: mistrust

  • by Anonymous Coward

    The engineers at Huawei know exactly what they're doing, they just didn't hide it well enough this time. The purpose of this "flawed" driver can be none other than to provide a hacking capability that is as widely distributed as Huawei phones, since every one of their phones wherever it ends up in the world will have the "flaw". Of course, anybody with half a brain and any importance should now be avoiding Huawei hardware like the plague. When the Department of Defense, the CIA, the NSA and GHCQ tell you th

  • Something is broken with the moderation function today
  • Why would you want to run more than one program at a time anyway?
    And what moron would want to have more than 640K of memory?

    "Maybe the OS should be strictly limited to what absolutely needs to be there."

    Nowadays people expect their OS to run on a variety of hardware, support all of it, support all kinds of devices plugged into the USB-port at once, do all that with a GUI that allows an image to be dragged from one piece of software to another one with a mouse movement and hides all the gritty details under

  • people have to learn that any piece of closed source software cannot be trusted.
    in case of drivers this is even more so, whatever the design of the OS might be, even if the OS itself is fully OSS, a closed driver takes all those advantages go away.

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...