Err, yeees?
"The actor submitted drivers for certification through the Windows Hardware Compatibility Program,"
So by implication, submitting this stuff is the end of the process, not the beginning?
Microsoft on Friday admitted it had signed malicious third-party driver code submitted for certification through its Windows Hardware Compatibility Program. According to Microsoft, the miscreant behind the subverted driver was focused on computer game players in China, and is not the sort of nation-state-backed group that has …
What makes you think financial credentials weren't the target? Once you've got a rootkit installed "for gaming purposes", you're not limited to only keylogging the games. Do games strictly conduct their financial business on a separate computer to their gaming rig? Anyway, some people get serious about their games.
The basis of the article seems to have the usual distractions, it was only aimed at very small number of gamers, it was only a small number of customers affected etc, etc. Distraction/obfuscation/mitigation.
Let's not over complicate this for distraction/mitigation for Microsoft.
A rootkit is a rootkit, install one on a machine and it gives whoever full administrative access to the machine, to install further software/malware, hence its name "rootkit".
In the context of Windows 11, that means this rootkit would have got past Microsoft's security, the 'secure' TPM 2.0 chip.
TPM 2.0 is going to generate a lot of landfill for nothing (other than to sell you a new PC, that does the same 'drudge'), if Microsoft still fail to do their job (as in this case), checking submitted code.
"Now giving its blessing to malware authors through sheer lack of giving a fuck."
MS wrote a blog post about the incident, in which they described what the malware would do and said they suspended the creator's account and reviewed past submissions. And added it to their free anti-malware product.
You can express dissatisfaction while still acknowledging that they didn't completely stonewall this as some other companies do.
Exactly, and it isn't as if, say, oh, I don't know, Google, Apple or Linux distros has never been caught with their trousers around their ankles, by letting malware into their app stores/repositories, for example.
Given the limitations of AI checks, the limited number of human resources than can be thrown at the problem and the sheer quantity of submissions, none of these systems or programmes can be 100% fool-proof. It is how, and how quickly, they react, when a problem is recognised that is more important.
(For the record, I use an Android phone, a company iPhone, an iPad and several Windows and Linux PCs, so I'm not trying to excuse Microsoft for letting this in in the first place, or get at Apple, Google et al.)
Actually Google and Apple should get far more of a kicking when things slip through, considering the 30% they charge for hosting and "securing" their stores. If they chose to use some of that money to actually check programs they might not suffer from things getting through so often. But then they might have to accept a slightly smaller profit, which we all know is unacceptable, so there you go...
On one hand ElReg gives us stories about how Win11 will require a TPM 2.0 "for security", but then on the other hand we read stories like this one that indicate we can't even trust the signed MS drivers to not bend us over a table & immitate the Jaws Of Life in our sphincter.
The common folk won't be able to turn off telemetry, probably won't know the proper sacrificial incantations to utter to secure said system, and MS requires an MS account just to do the initial setup? Then just to prove this particular dumpster pyre is especially private-consumer-hostile we toss on the (Napalm, Semtex, & Thermite) satchel charge of fail.
Good job Microsoft, I'm just exploding with confidence! (Or sarcasm for the irony deficient.)
How is this any different to Apple, Google or Linux? They all suffer the same failings, at the end of the day.
Given the 10's of thousands of drivers submitted for review every month, nobody can check every line of code, and AI just isn't good enough to catch every rouge driver or app. You can only do your best, and when a problem occurs, react swiftly, professionally and responsibly.
I'm happy they stood up, in public and said, mea culpa, and here is what we have done to mitigate the problem, instead of brushing it under the carpet, as many not so professional companies have done in the recent past. At least Apple, Google & Microsoft are usually public about such incidents nowadays.
Although I can remember Apple sitting on a bunch of Java zero-day patches for around 6 months after Sun/Oracle, Microsoft, Google et al hat released patches for their platforms and were finally shamed into releasing the patches. Thankfully, a lot of water has passed under the security bridge sind those days...
When your latest product obsoletes a considerable portion of your customers equipment, because security, and you sack your entire testing organisation and use automated tools, you can hardly be surprised that when something they would have caught gets past your tools, that someone points out the problem.
Microsoft does not do much in the way of checking drivers before signing.
The primary requirement is that you have an EV Code Signing certificate so that they (Microsoft) have some confidence that they can track down anyone submitting a problematic driver.
One of the requirements for the EV cert is that it is stored on a security key. So if you plan to say someone stole your EV cert you need to say how they got the dongle and how they got the password for it.
recent articles in El-Reg about the insecurity of open-source, old libraries and what more that is wrong in the Linux world, Windows driver signing is like sending a binary blob containing machine code to Redmond, MS signs it so the world is secure and nobody steals information ?.
Somehow the possibility to conduct a source code review and Sir Torvalds overseeing things, feels warm and cozy compared to this.