Miscellaneous Tech News
-
For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months.
Microsoft officials have steadfastly asserted that Windows Update will automatically add new software drivers to a blocklist designed to thwart a well-known trick in the malware infection playbook. The malware technique—known as BYOVD, short for "bring your own vulnerable driver"—makes it easy for an attacker with administrative control to bypass Windows kernel protections. Rather than writing an exploit from scratch, the attacker simply installs any one of dozens of third-party drivers with known vulnerabilities. Then the attacker exploits those vulnerabilities to gain instant access to some of the most fortified regions of Windows.
It turns out, however, that Windows was not properly downloading and applying updates to the driver blocklist, leaving users vulnerable to new BYOVD attacks.
-
@stacksofplates damn, that's significant.
-
@stacksofplates said in Miscellaneous Tech News:
For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months.
Microsoft officials have steadfastly asserted that Windows Update will automatically add new software drivers to a blocklist designed to thwart a well-known trick in the malware infection playbook. The malware technique—known as BYOVD, short for "bring your own vulnerable driver"—makes it easy for an attacker with administrative control to bypass Windows kernel protections. Rather than writing an exploit from scratch, the attacker simply installs any one of dozens of third-party drivers with known vulnerabilities. Then the attacker exploits those vulnerabilities to gain instant access to some of the most fortified regions of Windows.
It turns out, however, that Windows was not properly downloading and applying updates to the driver blocklist, leaving users vulnerable to new BYOVD attacks.
OK that's definitely bad that they don't block it - but since you're an admin - why do you even care? the article says that the attacker is starting as a local admin.
-
@Dashrender said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months.
Microsoft officials have steadfastly asserted that Windows Update will automatically add new software drivers to a blocklist designed to thwart a well-known trick in the malware infection playbook. The malware technique—known as BYOVD, short for "bring your own vulnerable driver"—makes it easy for an attacker with administrative control to bypass Windows kernel protections. Rather than writing an exploit from scratch, the attacker simply installs any one of dozens of third-party drivers with known vulnerabilities. Then the attacker exploits those vulnerabilities to gain instant access to some of the most fortified regions of Windows.
It turns out, however, that Windows was not properly downloading and applying updates to the driver blocklist, leaving users vulnerable to new BYOVD attacks.
OK that's definitely bad that they don't block it - but since you're an admin - why do you even care? the article says that the attacker is starting as a local admin.
Installers are typically local admins.
-
@scottalanmiller said in Miscellaneous Tech News:
@Dashrender said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months.
Microsoft officials have steadfastly asserted that Windows Update will automatically add new software drivers to a blocklist designed to thwart a well-known trick in the malware infection playbook. The malware technique—known as BYOVD, short for "bring your own vulnerable driver"—makes it easy for an attacker with administrative control to bypass Windows kernel protections. Rather than writing an exploit from scratch, the attacker simply installs any one of dozens of third-party drivers with known vulnerabilities. Then the attacker exploits those vulnerabilities to gain instant access to some of the most fortified regions of Windows.
It turns out, however, that Windows was not properly downloading and applying updates to the driver blocklist, leaving users vulnerable to new BYOVD attacks.
OK that's definitely bad that they don't block it - but since you're an admin - why do you even care? the article says that the attacker is starting as a local admin.
Installers are typically local admins.
let me ask this another way.
Yes - it's bad that MS isn't blocking something they said they would.But does that make the situation any worse than it would really be if they did?
the attacker already has local admin - why would they need to install a driver that has vulnerabilities when they already have full local admin control - what advantage do they get they didn't already have?
-
@Dashrender said in Miscellaneous Tech News:
the attacker already has local admin - why would they need to install a driver that has vulnerabilities when they already have full local admin control - what advantage do they get they didn't already have?
So in a way, they get nothing, in another, everything. Normally Windows has security protections by way of signed drivers - "known good" drivers that you should be able to trust (but anything guaranteed by Microsoft should be highly suspect, of course) and an installer gets scanned by Defender AV to ensure that there is no malicious code.
A normal elevated permissions situation here only allows the scanned installer to run, once. It's a very limited set of permissions. And the code gets scanned to see if there is anything malicious in it.
But in this case, the scanning and the notification / warning are bypassed by leveraging the fact that Microsoft has signed known vulnerable code and given it a free pass to run on your system allowing a malicious entity to bypass security. So something that is "guaranteed" to be safe because MS claims to have verified it and signed it, is actually known to be vulnerable and providing a way to access your systems to a malicious third party, not the person installing software.
So yes, if YOU were the malicious entity AND you are also the admin, it doesn't make any difference. But if you are the malicious entity and you are trying to get past security, it's a useful tool.
-
@scottalanmiller said in Miscellaneous Tech News:
But if you are the malicious entity and you are trying to get past security, it's a useful tool.
I agree with this - but that's not what the article said.
@article said
—makes it easy for an attacker with administrative control to bypass Windows kernel protections.
-
@Dashrender said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
But if you are the malicious entity and you are trying to get past security, it's a useful tool.
I agree with this - but that's not what the article said.
@article said
—makes it easy for an attacker with administrative control to bypass Windows kernel protections.
But that's true. normally there are kernel level protections even against the admin, and this bypasses those.
Think of the attacker being someone making an installer that gets admin privs.
-
@Dashrender said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@Dashrender said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months.
Microsoft officials have steadfastly asserted that Windows Update will automatically add new software drivers to a blocklist designed to thwart a well-known trick in the malware infection playbook. The malware technique—known as BYOVD, short for "bring your own vulnerable driver"—makes it easy for an attacker with administrative control to bypass Windows kernel protections. Rather than writing an exploit from scratch, the attacker simply installs any one of dozens of third-party drivers with known vulnerabilities. Then the attacker exploits those vulnerabilities to gain instant access to some of the most fortified regions of Windows.
It turns out, however, that Windows was not properly downloading and applying updates to the driver blocklist, leaving users vulnerable to new BYOVD attacks.
OK that's definitely bad that they don't block it - but since you're an admin - why do you even care? the article says that the attacker is starting as a local admin.
Installers are typically local admins.
let me ask this another way.
Yes - it's bad that MS isn't blocking something they said they would.But does that make the situation any worse than it would really be if they did?
the attacker already has local admin - why would they need to install a driver that has vulnerabilities when they already have full local admin control - what advantage do they get they didn't already have?
Because they’re mostly things like automated installs. It’s not like someone is sitting at the keyboard as a bad actor. It’s an email with an attachment for a doc that when Sally opens it installs a valid signed driver that is vulnerable.
-
@stacksofplates said in Miscellaneous Tech News:
@Dashrender said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@Dashrender said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months.
Microsoft officials have steadfastly asserted that Windows Update will automatically add new software drivers to a blocklist designed to thwart a well-known trick in the malware infection playbook. The malware technique—known as BYOVD, short for "bring your own vulnerable driver"—makes it easy for an attacker with administrative control to bypass Windows kernel protections. Rather than writing an exploit from scratch, the attacker simply installs any one of dozens of third-party drivers with known vulnerabilities. Then the attacker exploits those vulnerabilities to gain instant access to some of the most fortified regions of Windows.
It turns out, however, that Windows was not properly downloading and applying updates to the driver blocklist, leaving users vulnerable to new BYOVD attacks.
OK that's definitely bad that they don't block it - but since you're an admin - why do you even care? the article says that the attacker is starting as a local admin.
Installers are typically local admins.
let me ask this another way.
Yes - it's bad that MS isn't blocking something they said they would.But does that make the situation any worse than it would really be if they did?
the attacker already has local admin - why would they need to install a driver that has vulnerabilities when they already have full local admin control - what advantage do they get they didn't already have?
Because they’re mostly things like automated installs. It’s not like someone is sitting at the keyboard as a bad actor. It’s an email with an attachment for a doc that when Sally opens it installs a valid signed driver that is vulnerable.
Exactly. Automated or confused users OR, don't forget, confused DEVELOPERS. It's not hard to get legit software, especially closed source, to think that MS signed drivers are safe (as that's the whole idea of the system is that everyone can trust them because MS is vouching for them) and trigger that they be installed, bypassing the expected security system.
-
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@Dashrender said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@Dashrender said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months.
Microsoft officials have steadfastly asserted that Windows Update will automatically add new software drivers to a blocklist designed to thwart a well-known trick in the malware infection playbook. The malware technique—known as BYOVD, short for "bring your own vulnerable driver"—makes it easy for an attacker with administrative control to bypass Windows kernel protections. Rather than writing an exploit from scratch, the attacker simply installs any one of dozens of third-party drivers with known vulnerabilities. Then the attacker exploits those vulnerabilities to gain instant access to some of the most fortified regions of Windows.
It turns out, however, that Windows was not properly downloading and applying updates to the driver blocklist, leaving users vulnerable to new BYOVD attacks.
OK that's definitely bad that they don't block it - but since you're an admin - why do you even care? the article says that the attacker is starting as a local admin.
Installers are typically local admins.
let me ask this another way.
Yes - it's bad that MS isn't blocking something they said they would.But does that make the situation any worse than it would really be if they did?
the attacker already has local admin - why would they need to install a driver that has vulnerabilities when they already have full local admin control - what advantage do they get they didn't already have?
Because they’re mostly things like automated installs. It’s not like someone is sitting at the keyboard as a bad actor. It’s an email with an attachment for a doc that when Sally opens it installs a valid signed driver that is vulnerable.
Exactly. Automated or confused users OR, don't forget, confused DEVELOPERS. It's not hard to get legit software, especially closed source, to think that MS signed drivers are safe (as that's the whole idea of the system is that everyone can trust them because MS is vouching for them) and trigger that they be installed, bypassing the expected security system.
I've seen that done by developers way to often.
-
@travisdh1 said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@Dashrender said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@Dashrender said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months.
Microsoft officials have steadfastly asserted that Windows Update will automatically add new software drivers to a blocklist designed to thwart a well-known trick in the malware infection playbook. The malware technique—known as BYOVD, short for "bring your own vulnerable driver"—makes it easy for an attacker with administrative control to bypass Windows kernel protections. Rather than writing an exploit from scratch, the attacker simply installs any one of dozens of third-party drivers with known vulnerabilities. Then the attacker exploits those vulnerabilities to gain instant access to some of the most fortified regions of Windows.
It turns out, however, that Windows was not properly downloading and applying updates to the driver blocklist, leaving users vulnerable to new BYOVD attacks.
OK that's definitely bad that they don't block it - but since you're an admin - why do you even care? the article says that the attacker is starting as a local admin.
Installers are typically local admins.
let me ask this another way.
Yes - it's bad that MS isn't blocking something they said they would.But does that make the situation any worse than it would really be if they did?
the attacker already has local admin - why would they need to install a driver that has vulnerabilities when they already have full local admin control - what advantage do they get they didn't already have?
Because they’re mostly things like automated installs. It’s not like someone is sitting at the keyboard as a bad actor. It’s an email with an attachment for a doc that when Sally opens it installs a valid signed driver that is vulnerable.
Exactly. Automated or confused users OR, don't forget, confused DEVELOPERS. It's not hard to get legit software, especially closed source, to think that MS signed drivers are safe (as that's the whole idea of the system is that everyone can trust them because MS is vouching for them) and trigger that they be installed, bypassing the expected security system.
I've seen that done by developers way to often.
In theory as a dev you are supposed to be able to rely on the IT team. If IT is okay with Windows, then you are kind of stuck.
-
Ubuntu now available for real world RISC-V devices!
https://liliputing.com/now-you-can-run-ubuntu-on-a-risc-v-computer-that-costs-less-than-20/
-
Japanese fund secures 1 trillion yen to buy Toshiba
TOKYO (Kyodo) -- A Japanese investment fund has secured about 1 trillion yen ($6.8 billion) to buy out Toshiba Corp. and notified the embattled conglomerate that the amount was offered by a group of more than 10 Japanese companies, a source familiar with the matter said Monday.
But Japan Industrial Partners Inc. failed to meet Toshiba's request to submit a letter of loan commitments from major banks by Monday, the source said, leaving uncertain whether funds can be guaranteed for the takeover estimated at some 2.2 trillion yen in total.
Japan Industrial Partners, which leads a consortium that Toshiba designated the preferred bidder for the potential buyout, appears to be basing its total cost estimate on share price, as the figure equals the company's market capitalization, the source said.
In early October, Toshiba selected the consortium as the preferred bidder over Japan Investment Corp., a state-backed fund seeking to team up with Bain Capital for the buyout.
Toshiba has been struggling to recover from problems such as a window-dressing scandal and a massive loss in U.S. nuclear power business that surfaced in the 2010s.
-
-
@scottalanmiller said in Miscellaneous Tech News:
AMD Genoa announced...
https://www.nextplatform.com/2022/11/10/amd-genoa-epyc-server-cpus-take-the-heavyweight-title/
AMD, turning it up to 11!
-
@travisdh1 said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
AMD Genoa announced...
https://www.nextplatform.com/2022/11/10/amd-genoa-epyc-server-cpus-take-the-heavyweight-title/
AMD, turning it up to 11!
No kidding. Too bad these are so big I'll never need one of my own. But hopefully the datacenters see these rolling in soon.
-
@scottalanmiller said in Miscellaneous Tech News:
@travisdh1 said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
AMD Genoa announced...
https://www.nextplatform.com/2022/11/10/amd-genoa-epyc-server-cpus-take-the-heavyweight-title/
AMD, turning it up to 11!
No kidding. Too bad these are so big I'll never need one of my own. But hopefully the datacenters see these rolling in soon.
Some of the press releases have confirmed the big providers already have them in use, so yes, they're already being deployed.
-
-
GoTo (Formerly known as LastPass) has customer accounts breached...
https://thehackernews.com/2023/01/lastpass-parent-company-goto-suffers.html