Microsoft signed a dodgy driver and now ransomware scum are exploiting it Ransomware crooks are exploiting a third-party Windows kernel-level driver used and provided by disk management tool Paragon Partition Manager. Paragon Partition Manager is a software tool that allows users to create and manage partitions on a storage drive. It sports a Microsoft-approved, digitally signed kernel-level driver …
This is almost certainly code that was written in the late 90s or early 2000s, and has just sat there ever since.
"It works, so why change it" is fine for code in userland applications that won't hold sensitive data, but not for kernel code like this. (Or for some kinds of userland apps.)
So how do we get companies to audit their old code?
In the case of kernel-mode drivers, I suggest that Microsoft make signing the driver a contract. If the driver has a security flaw, then the cost to Microsoft of investigating and mitigating the flaw will be borne by the supplier. Plus a penalty fine per vulnerability if they're common types (buffer overflow, pointer misuse).
Only by introducing some kind of fiscal penalty will the audit of old code suddenly become fiscally viable, which is what we need.
>” If the driver has a security flaw, then the cost to Microsoft of investigating and mitigating the flaw will be borne by the supplier.”
The whole of Windows is signed by Microsoft; you could argue the OS is a driver for the “PC”, thus MS would be on the hook….
However, this has been the case since when ever Microsoft sold their first product, so we have a long history of how this works….
At least it seems the certificate revocation process works and only blocks this specific driver rather than all Paragons products.
Nope, not legacy code, lowering of standards.
Back in the day I have the vague memory/possibly idealistic viewpoint that WHQL drivers actually meant something. That hasn't been true for a *long* time, especially for GPU drivers, where things can be objectively broken but it still meet WHQL.
Perhaps you could argue that it's still 'OK', but test coverage needs increasing, but they've had a long time to do that and not really improved things. I realise GPU drivers are very complex, but I don't think that's a particular excuse, especially when certain vendors *cough* AMD *cough*, can repeatedly leave notable bugs in their driver unfixed for a year at a time.
I think probably your memory is overly idealistic.
Here's a post from Raymond Chen from *21 years ago* detailing some of the shenanigans that manufacturers got up to to get their drivers approved by WHQL, by making them work differently in WHQL than when operating in a normal environment:
https://devblogs.microsoft.com/oldnewthing/20040305-00/?p=40373
They donated code to that, but I see no evidence that it was this code, and it seems quite unlikely that it was because Windows already has an NTFS driver. The Partition Manager software that this appears to be part of is a distinct product. If this had been, for example, Paragon's NTFS for Mac OS software, then I'd be more worried that a similar bug could affect Linux, although even then the most sensitive code would likely be OS-specific.
I think "the certificate" in this case is the same one that signs all other third party drivers and it hasn't actually been compromised.
The correct solution is to teach Windows to recognise this particular driver, which apparently MS have already done in the case of Win11. (Kinda odd that Win10 has missed out on that. Are they trying to blackmail us into upgradjng or something?)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
