back to article Microsoft approved a Windows driver booby-trapped with rootkit malware

Microsoft on Friday admitted it had signed malicious third-party driver code submitted for certification through its Windows Hardware Compatibility Program. According to Microsoft, the miscreant behind the subverted driver was focused on computer game players in China, and is not the sort of nation-state-backed group that has …

  1. Terry 6 Silver badge

    Err, yeees?

    "The actor submitted drivers for certification through the Windows Hardware Compatibility Program,"

    So by implication, submitting this stuff is the end of the process, not the beginning?

    1. JimboSmith Silver badge

      Re: Err, yeees?

      I suppose we should be grateful that it wasn't something more serious that the malware was designed to do. Could have been a lot more serious if it targeted financial login's and passwords.

      1. Allan George Dyer Silver badge
        Holmes

        Re: Err, yeees?

        What makes you think financial credentials weren't the target? Once you've got a rootkit installed "for gaming purposes", you're not limited to only keylogging the games. Do games strictly conduct their financial business on a separate computer to their gaming rig? Anyway, some people get serious about their games.

        1. Anonymous Coward
          Anonymous Coward

          A rootkit is a rootkit. Install one, it has free reign to do what it likes.

          The basis of the article seems to have the usual distractions, it was only aimed at very small number of gamers, it was only a small number of customers affected etc, etc. Distraction/obfuscation/mitigation.

          Let's not over complicate this for distraction/mitigation for Microsoft.

          A rootkit is a rootkit, install one on a machine and it gives whoever full administrative access to the machine, to install further software/malware, hence its name "rootkit".

          In the context of Windows 11, that means this rootkit would have got past Microsoft's security, the 'secure' TPM 2.0 chip.

          TPM 2.0 is going to generate a lot of landfill for nothing (other than to sell you a new PC, that does the same 'drudge'), if Microsoft still fail to do their job (as in this case), checking submitted code.

      2. NoneSuch Silver badge

        Re: Err, yeees?

        Errm, no...

        This is the instance we know of... What don't we know...

  2. Pascal Monett Silver badge

    Ah, Microsoft

    Now giving its blessing to malware authors through sheer lack of giving a fuck.

    1. Someone Else Silver badge

      Re: Ah, Microsoft

      Either not giving a fuck, or not being capable of doing anything right if it did give a fuck?

      Note that could be an inclusive 'or', so it's possible both are true...

      1. vogon00

        Re: Ah, Microsoft

        Either those, or they delegated the go/no-go decision to some AI that actually turns out to be pretty dumb.

        My current opinion is that 'AI' and Tesla's 'Autopilot' feature have something else in common...they both claim to be something they are most definitely not..

    2. jtaylor Bronze badge

      Re: Ah, Microsoft

      "Now giving its blessing to malware authors through sheer lack of giving a fuck."

      MS wrote a blog post about the incident, in which they described what the malware would do and said they suspended the creator's account and reviewed past submissions. And added it to their free anti-malware product.

      You can express dissatisfaction while still acknowledging that they didn't completely stonewall this as some other companies do.

      1. big_D Silver badge

        Re: Ah, Microsoft

        Exactly, and it isn't as if, say, oh, I don't know, Google, Apple or Linux distros has never been caught with their trousers around their ankles, by letting malware into their app stores/repositories, for example.

        Given the limitations of AI checks, the limited number of human resources than can be thrown at the problem and the sheer quantity of submissions, none of these systems or programmes can be 100% fool-proof. It is how, and how quickly, they react, when a problem is recognised that is more important.

        (For the record, I use an Android phone, a company iPhone, an iPad and several Windows and Linux PCs, so I'm not trying to excuse Microsoft for letting this in in the first place, or get at Apple, Google et al.)

        1. lglethal Silver badge
          Mushroom

          Re: Ah, Microsoft

          Actually Google and Apple should get far more of a kicking when things slip through, considering the 30% they charge for hosting and "securing" their stores. If they chose to use some of that money to actually check programs they might not suffer from things getting through so often. But then they might have to accept a slightly smaller profit, which we all know is unacceptable, so there you go...

    3. Muppet Boss Bronze badge
      Joke

      Re: Ah, Microsoft

      But... but... the malware was working as intended and did not compromise the system stability...

  3. David Pearce

    There is serious real money to be made in "eSports" these days, so expect more criminal activity

  4. ShadowSystems

    Not inspiring confidence.

    On one hand ElReg gives us stories about how Win11 will require a TPM 2.0 "for security", but then on the other hand we read stories like this one that indicate we can't even trust the signed MS drivers to not bend us over a table & immitate the Jaws Of Life in our sphincter.

    The common folk won't be able to turn off telemetry, probably won't know the proper sacrificial incantations to utter to secure said system, and MS requires an MS account just to do the initial setup? Then just to prove this particular dumpster pyre is especially private-consumer-hostile we toss on the (Napalm, Semtex, & Thermite) satchel charge of fail.

    Good job Microsoft, I'm just exploding with confidence! (Or sarcasm for the irony deficient.)

    1. big_D Silver badge

      Re: Not inspiring confidence.

      How is this any different to Apple, Google or Linux? They all suffer the same failings, at the end of the day.

      Given the 10's of thousands of drivers submitted for review every month, nobody can check every line of code, and AI just isn't good enough to catch every rouge driver or app. You can only do your best, and when a problem occurs, react swiftly, professionally and responsibly.

      I'm happy they stood up, in public and said, mea culpa, and here is what we have done to mitigate the problem, instead of brushing it under the carpet, as many not so professional companies have done in the recent past. At least Apple, Google & Microsoft are usually public about such incidents nowadays.

      Although I can remember Apple sitting on a bunch of Java zero-day patches for around 6 months after Sun/Oracle, Microsoft, Google et al hat released patches for their platforms and were finally shamed into releasing the patches. Thankfully, a lot of water has passed under the security bridge sind those days...

      1. EnviableOne Silver badge

        Re: Not inspiring confidence.

        When your latest product obsoletes a considerable portion of your customers equipment, because security, and you sack your entire testing organisation and use automated tools, you can hardly be surprised that when something they would have caught gets past your tools, that someone points out the problem.

  5. Anonymous Coward
    Anonymous Coward

    I *knew* that "Windows 11" was suspicious!

  6. sl149q

    Driver signing by Microsoft is just a way to know who is responsbile

    Microsoft does not do much in the way of checking drivers before signing.

    The primary requirement is that you have an EV Code Signing certificate so that they (Microsoft) have some confidence that they can track down anyone submitting a problematic driver.

    One of the requirements for the EV cert is that it is stored on a security key. So if you plan to say someone stole your EV cert you need to say how they got the dongle and how they got the password for it.

    1. elsergiovolador Silver badge

      Re: Driver signing by Microsoft is just a way to know who is responsbile

      That does not sound secure at all. I can think of many ways how to go around it.

    2. bombastic bob Silver badge
      Mushroom

      Re: Driver signing by Microsoft is just a way to know who is responsbile

      Driver signing by Microsoft is just a way to ADD A TOLL BOOTH

      Fixed it for ya. Driver signing is *POINTLESS* and an UNNECESSARY ROADBLOCK to FOSS.

  7. naive Silver badge

    So after all the

    recent articles in El-Reg about the insecurity of open-source, old libraries and what more that is wrong in the Linux world, Windows driver signing is like sending a binary blob containing machine code to Redmond, MS signs it so the world is secure and nobody steals information ?.

    Somehow the possibility to conduct a source code review and Sir Torvalds overseeing things, feels warm and cozy compared to this.

  8. Mike Lewis

    Hey!

    Leave off Microsoft QA. It's just one guy and he's doing the best he can.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021