back to article What do Windows 10 and Uber or Lyft have in common? One bad driver can really ruin your day. And 40 can totally ruin your month

Too many trusted Windows 10 peripheral drivers, signed off by Microsoft and running with powerful kernel-level privileges, are riddled with exploitable security vulnerabilities, according to infosec biz Eclypsium. During a talk [PDF] at this year's DEF CON hacking shindig in Las Vegas, Eclypsium's Jesse Michael and Mickey …

  1. RM Myers
    Meh

    Driver Signing

    Driver signing is not intended to caught security or other flaws. It is just a method to make sure the driver is really from the vendor, and has not been tampered with by a third party (think CRC). You can turn off driver verification temporarily if necessary - if you're the developer testing the driver, for example, or the vendor hasn't certified that a new driver for a new OS will work for an old GPU even though it will (great way to sell new GPU's, isn't it, NV*****)..

    1. bombastic bob Silver badge
      Mushroom

      Re: Driver Signing

      It is just a method to make sure the driver is really from the vendor BLESSED AND APPROVED BY MICROSOFT because YOU PAID THEM MONEY TO SIGN IT

      Fixed that for ya!!!

      The *ENTIRE* driver signing process is WORSE than COMPLETELY BOGUS, it STIFLES open source development by putting a FRICKING TOLLBOOTH in the way, and is GENERALLY a NUISANCE. And if you choose to bypass those "checks" (which are pretty worthless ANYWAY, it appears, according to the article) you get a WATERMARK in the corner of your screen, like some kind of PUNISHMENT.

      Whereas, LINUX and FREEBSD do _NOT_ have this problem. All of THEIR drivers are OPEN SOURCE and you can WRITE YOUR OWN and INSTALL IT whenever you want! *NO* *STUPID* *SIGNAGE* *REQUIREMENTS*.

      Yes, ever since VISTA 64-bit drivers *MUST* be signed. THAT! IS! FORNICATED! UP!!!

      1. pavel.petrman Bronze badge

        Re: Driver Signing

        You may or may not have a point there but we'll never know. Caps and exclamation mark abuse come across as positively as "Now I have your attention" and "We value your privacy", upon reaching which any gentleman will read no further.

      2. Huw D Silver badge

        Re: Driver Signing

        I believe you can say "Fucked" on here, Bob.

        1. deadlockvictim Silver badge

          Re: Driver Signing

          But "fornicated" is good though.

          1. Huw D Silver badge

            Re: Driver Signing

            Just reminds me of uptight bible-belt Americans, that's all.

          2. Kevin Johnston

            Re: Driver Signing

            Reminds me of the Ankh-Morpork bank that has fornication running around the top of the walls

      3. Anonymous Coward
        Anonymous Coward

        Re: Driver Signing

        if commentard = "bombastic bob":

        print(comment.lower())

        1. Anonymous Coward
          Anonymous Coward

          Re: Driver Signing

          More like comment.ignore()

    2. Paul Crawford Silver badge

      Re: Driver Signing

      Driver signing is sold as a way of stopping malware, but really is all about enforcing DRM.

    3. steviebuk Silver badge

      Re: Driver Signing

      Driver Signing has never been a full on certified method of authenticity. Its been known for years you can fake signing. I'm sure it was mentioned in the old Sysinternals Video Library but if not, even Mark Russinovich and I think Aaron Margois have mentioned in their various talks how signing can be forged.

  2. Pascal Monett Silver badge

    "all the vulnerable drivers we discovered have been certified by Microsoft"

    Well duh. Given how difficult it is for Microsoft to get its own code right, I wouldn't take any MS certification to mean vuln-free.

    Certified by Microsoft simply means they ran it once on a machine and that machine didn't crash inside of 15 minutes.

    1. druck Silver badge

      Re: "all the vulnerable drivers we discovered have been certified by Microsoft"

      Not even that, it just means they generated a cryptographic hash and embedded it in the driver.

      1. The Oncoming Scorn Silver badge
        Paris Hilton

        Re: "all the vulnerable drivers we discovered have been certified by Microsoft"

        Not even that, it just means they generated a cryptographic hash and embedded it in the driver.

        I initially read that as "embedded in the river".

        PH - Something to do embedding (If you are so inclined to go where everyone's gone before).

    2. katrinab Silver badge

      Re: "all the vulnerable drivers we discovered have been certified by Microsoft"

      Certified by Microsoft means it was actually published by Nvidia or whoever, and it isn't some trojan driver from a third-party distributor.

  3. Anonymous Coward
    Anonymous Coward

    The signature is also a revocation system

    Microsoft can “untrust” problematic drivers if there is an issue.

  4. zaax

    Sounds like if your M$ system gets hacked repair costs are down to M$. Yesterday we had a illiterate user open an infected email luckily the anti-virus software caught it.

    1. Spanners Silver badge
      Headmaster

      .....illiterate user......

      Is that a grammatical redundancy?

  5. Benson's Cycle

    Microkernels

    It's been mentioned by others that Huawei's OS, like QNX/BB 10, is a microkernel.

    It would be hugely paradoxical (and amusing) if a Chinese OS turned out to be more secure than a US one. It probably won't, but at least they are starting in the right place.

  6. boltar Silver badge

    I'm no fan of MS...

    ... but I suspect you'd find flaws on drivers on Linux and MacOS too if you looked. Drivers are generally extremely complicated pieces of software, often with interrupt based code paths and this sort of code is hard enough to get working reliably in the first place especially when manufacturer specs can be somewhat lacking, never mind ensuring it has zero security holes.

    1. Anonymous Coward
      Anonymous Coward

      @boltar - Re: I'm no fan of MS...

      I would add increasingly complicated pieces of software written by decreasingly competent developers. You know, the exact same kind of people who would hard code back-doors or make use of weak encryption among others.

  7. jms222

    More layers as VAX/VMS

    Drivers generally aren't quite as privileged as the main kernel in (Open)VMS yet somehow we've gone backwards in the last few decades.

    1. Warm Braw Silver badge

      Re: More layers as VAX/VMS

      Well this wasn't true in VAX days - drivers ran in the kernel ring, though less critical parts were sometimes farmed of to a user-space process (ACP). As I recall, parts of the filesystem ran in Executive mode and the DCL shell ran mostly in Supervisor mode.

      Post-VAX, some of these modes are virtualised as the CPU architecture doesn't support all the necessary modes, or, as in the case of the x86/x64 implementations, only the innermost and outermost modes function efficiently.

      There's certainly an argument that modern requirements (where you have lots of third party software, much of it running from unknown sources on the Internet, often unbidden) would be easier to serve with either more protection rings - or a less hierarchical model with better compartmentalisation - but four rather than two is not going to make much of a difference.

      1. boltar Silver badge

        Re: More layers as VAX/VMS

        "Post-VAX, some of these modes are virtualised as the CPU architecture doesn't support all the necessary modes, or, as in the case of the x86/x64 implementations, only the innermost and outermost modes function efficiently."

        Intel processors have 4 modes, 6 if you count hypervisor (-1) and the management engine (-2). Just because most x86 OSs only use supervisor and user mode doesn't mean the others couldn't be used effectively.

        "or a less hierarchical model with better compartmentalisation"

        Hence containers , a souped up chroot jail. Though I doubt they work well under Windows so we'll have to put up with hypervisor nonsense with multiple OS copies running just to fully seperate various applications on MS's brain damaged OS for a while yet.

        1. LDS Silver badge

          Re: More layers as VAX/VMS

          On Intel system, usually a driver to work with hardware needs to be able to call I/O instructions and access devices memory. The former is controlled by the IOPL value that can be set to any ring, but in the two rings system used by most OS is usually set to zero so only kernel code can call I/O instruction. Memory access depends on how the kernel maps memory for devices, as most instructions for memory management are reserved for ring zero, ant then how much data drivers have to exchange with kernel and user space, as ring transitions have a cost. Actually, in the early days of protected mode Intel proposed a model with kernel in ring 0, drivers at ring 1, system libraries at ring 2, and user code at ring 3. Nobody adopted that model because it was slow and not portable. Now AFAIK the x64 architecture removed fully such possibility.

        2. Warm Braw Silver badge

          Re: More layers as VAX/VMS

          Intel processors have 4 modes

          They do, but moving between them is rather slow, which is why SYSCALL et al were invented - but only for trapping to mode 0.

          "Traditional" protection systems cause all sorts of pain because changing modes usually means saving and restoring a bunch of privileged registers and a complete change of virtual address space. If you were designing a processor architecture today, you probably wouldn't bother with virtual memory for the inner modes - there's no real reason you can't have enough real memory and you can do memory protection in other ways - and you could consequently speed up mode changes quite considerably.

  8. jmc787

    I don't blame Microsoft for this, I blame the vendors who made the dodgy drivers. All MS is doing is verifying the authenticity of the driver, I would not expect them to know more about the vendors product than the vendors themselves.

  9. a_yank_lurker Silver badge

    Meaning?

    What does 'certified driver' really mean? If it means Slurp has thoroughly tested it and examined it then you have one set of expectations If it means Slurp has verified the hash matches what the vendor says the hash is then there are one set of expectations, at least for the nerds. However, what does the average user think? I suspect they think more along the lines of the first possibility, Slurp is actually thoroughly testing it. Thus there is a source of confusion because Slurp is being coy about what they really mean. But that is nothing new for Slurp where they imply one thing in their shyster but it really means something else.

    1. DJV Silver badge
      Facepalm

      "Slurp"

      I'm not sure which is the more tedious - "Slurp", "Micro$oft" or "M$". Either way, nowadays it just means any post containing them is taken far less seriously*.

      * "Seriously", on El Reg? Well, maybe... :D

      1. Benson's Cycle

        Re: "Slurp"

        You were doing so well up to the :D.

        Almost as annoying as LOL.

  10. Michael Wojcik Silver badge

    Organizations should update drivers

    Yes, good luck updating drivers. I have a Dell laptop that's two years old, and has one of the Intel network drivers with the idiotic bug that causes it to log a pointless message to the Windows event log every minute. Intel apparently fixed that years ago (and, obviously, it should never have shipped the thing in the first place, but then Intel is no better than most OEMs at quality control), but Dell still hasn't made the updated driver available for this machine. It's also not available through Intel or Microsoft.

    The fact is most OEMs and system vendors can't be bothered to make updated drivers available, at least in any consistent fashion.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019