137 comments

[ 3.4 ms ] story [ 229 ms ] thread
Backdoor is such a loaded word to use for a vulnerability. Especially since Huawei is involved. Shame on the person who came up with the title and the reporter who uses the term in the article.
The Epoch Times is a Falun Gong propaganda arm, and Falun Gong is basically Chinese Scientology that the CCP has been trying to stamp out.
What?

Maybe the Epoch Times is biased, but the Falun Gong is nothing like scientology: it has no fees and isn't trying to coerce anyone to join.

It's a minority group that is persecuted by the CCP.

What kind of minority group?

They're religious kooks. That doesn't mean they deserve to be stamped out, necessarily, but they're also not a "minority group" by the common definition of the term.

> they're also not a "minority group" by the common definition of the term.

How not? The Chinese government locks them up, murders them, and harvests their organs because they disagree with the communist party. Sounds like pretty classic "authoritarian government vs minority group" to me.

I read my grandma’s FaLun Gong book when I was 8. Eye opening that it’s completely bullshit and lies(the founder claimed he is omnipotent and could cure cancer). However China has a large gullible and uneducated population and you can’t imagine the harm such nonsense group could cause. And hell yes they definitively used it to profit. It’s freaking a hoax. It’s not a religion and It has nothing to do with “disagree with authoritarian” at all
I don't think you engaged with my comment in good faith, here.

Falun gong are han Chinese who chose to identify with a particular religious offshoot. That doesn't make them a minority group as westerners understand it. Would you call Mormons minorities?

Outside of Utah, yes.
I think it is pretty common to refer to Jews or Muslims as minorities, and it doesn't seem weird to me to call Mormons a minority group as well.
In general, You are defining minority group as minority ethnicity only
Yes. I'm an American and America was founded by a bunch of religious offshoots who were being persecuted in their home country for being offshoots (protestants) rather than having the majority religion of their peers (Catholic). Religious minorities are minorities too.
That moment when you mention a group of people who just want to chill and meditate, but are instead being organ harvested.

Then blame them for the world fearing Huawei security

The Epoch Times is run by Falun Gong so they have an anti-Chinese government slant.
Pretty sure it's not anti-Chinese government.

It's the anti-"current Chinese policy" and the way it treat dissidents, minorities, journalists etc.

You're right, I conflated the two.
There is no valid reason, ever, for a driver to do what the Huawei driver did here. That should be obvious given the detection methods that Microsoft implemented in the kernel to find and prevent just this behavior.

The Microsoft blog might stop short of calling it malware, but I think we don't need the faux politeness here. The fact that their malware also contained a privilege escalation (the "vulnerability") is merely icing on the cake.

Really? Because MS and others have stated what Huawei did here isn't unheard of.

This is simply news because it's Huawei and many want them to be guilty of backdooring US entities. Perhaps they are, but no more many other "respected" US companies.

To be fair, doing things for which "There is no valid reason, ever" is not unheard of, especially in software.
Since you make a very strong claim on a very complex topic, would you mind if I asked you to share whether you have expertise / credentials on drivers and security?

Edit: I'm not sure if it's considered appropriate to ask for credentials on HN. There's one way to find out :)

What is so complex about it? This is a very simple code injection technique ported to kernel space. Only, of course, there is essentially no use for code injection in any sort of production software.
(comment deleted)
A driver allowing to map any page is like recording a magician from all angles.

The only reasonable usage of such a situation is for the magician him/herself, to study his/her own performance. And even then, it is not usually done that way.

There's a lot of situations where you map in trampolines to perform work inside a process on behalf of that process.
The article is about a driver that allows to map any physical page.
That majority isn't.

And while there's better ways to handle it, and it wouldn't pass a design review of mine, it's pretty common to make a driver specific /dev/mem equivalent. For isntance https://forum.xda-developers.com/showthread.php?t=2057818

I am not sure what you are trying to say.

Any driver for a multiuser OS that essentially bypasses protection mechanisms by the kernel for non-root users is broken, period.

There is no argument about it.

I mean, it's goofy, hacky, and has obvious security flaws but doesn't look malicious. Calling it a "backdoor" ascribes a certain intentionality to the vulnerability that's not clear is warranted. It's about the code quality I expect from the management shovelware that comes preloaded on laptops from any major brand.

Source: I've written kernel drivers and exploits.

On the other hand a reliable backdoor that also looks like sloppy code is better, as most of us are familiar with truly awful code it’s a nice layer of plausible deniability.

As the full saying goes.

Never attribute to malice what can be explained by stupidity...but don’t rule out malice.

By that logic we should be calling all vulnerabilities "backdoors" just in case.
Perhaps you should because the end result is the same, shit code sinks ships. Somebody could have written it intentionally or somebody could have been a dumbshit. Doesn't matter to me because now my computer is compromised.
I mean, the term 'backdoor' has a connotation of intentionality. Unless you write perfect code 100% of the time, you probably rely on the difference.
Freetype buffer overflow leads to privilege escalataion.

All code is security code.

Definitely don't disagree, but are the freetype developers being malicious when they leave in a bug?
>All code is security code.

Debian disagrees. They are wrong to do so.

From Microsoft’s blog post:

Inspecting MateBookService.exe!main revealed a “startup mode” that revived the service if it’s stopped – some sort of watchdog mechanism meant to keep the Huawei PC Manager main service running.

I agree that it’s hard to prove malice, but why should any PC management software go out of their way to ensure that it never gets shut down?

...because it's the hardware management service and if it goes down you're no longer managing the hardware?

Like this stuff is usually designed by EEs and they love their watchdogs at all levels. Having a watchdog is very standard for this stuff.

>...because it’s the hardware management service and if it goes down you’re no longer managing the hardware?

I’m no expert on device drivers but to my knowledge, Windows already allows you to manage devices and install drivers through Device Managers.

Then if drivers are already installed for the various devices and hardware components, what exactly is the hardware management service managing on top of the individual drivers?

I am asking this as the only plausible reason to be doing this (at least for me) is if Windows isn’t providing enough tools for device management that needs coordination between the hardware components on the machine, so I would appreciate someone with more knowledge to shed some light on the subject.

Device Manager only handles kernel drivers. Best practice is to put as much as possible into a highly privileged, but still user mode process so it can crash without bluescreening your system. If you assume that this code can crash (hence why it was delegated to user mode in the first place) it makes sense to code in a resurrection capability.
Windows services have a restart if I crash mode, why wouldn’t that be used instead. This seems about making sure the user can’t stop it from starting
It's a huge pain on the ass to setup right. Soft faults where the process is still running but is deadlocked don't get restarted for instance.
Same problem if you write your own supervisor except you are writing a process supervisor
Well, no, because you can write your supervisor in a way that does protect against that. In fact that's hat they're doing here.
Not commenting any way on the particular issue at hand, but to respond to your general question:

> why should any PC management software go out of their way to ensure that it never gets shut down?

The Windows 10 kernel itself goes out of its way to make sure the Windows update service isn't permanently shut down.

What is not malicious about a driver whose pure function (this thing literally has no other value or purpose) is maintaining an invincible NT_AUTHORITY process of their pre-installed management software? And achieving that by allocating a RWX page in services.exe? What are we even doing W^X for?

Maybe we have different expectations of what a driver is. Take a look for yourself, even the updated PC Manager Software on their website still has the driver with the goofy shellcode in its installer (no idea if it's just not loaded now):

https://consumer.huawei.com/us/support/pc/matebook-x-pro/

> What is not malicious

> malicious - adj. - having or showing a desire to cause harm to someone

I'ts goofy, and wouldn't pass a design review that I was a part of, but it isn't "showing a desire to cause harm". It just looks like a rushed design.

> about a driver whose pure function (this thing literally has no other value or purpose)

I see nothing about how this driver doesn't have any other functions.

> is maintaining an invincible NT_AUTHORITY process of their pre-installed management software

Because you want the hardware management process to be resurrected if it fails. They're not gaining anything from an attack perspective by deferring to user mode, the process isn't hidden, and they're already running as a kernel driver so they have full control of the system as it is. In Raymond Chen's parlance, they're already on the other side of the airtight hatch.

> Maybe we have different expectations of what a driver is.

I mean, Minix ascribes it's uptime and reliability to a resurrection server. Is this a much crappier design? Yes. Is it such a bad design that it's malicious? No, that's absurd.

> Maybe we have different expectations of what a driver is.

I expect drivers to defer everything they can to user mode so they don't crash the kernel. That's one of the reasons why APCs exist in the first place.

> Take a look for yourself, even the updated PC Manager Software on their website still has the driver with the goofy shellcode in its installer (no idea if it's just not loaded now):

Oh no, they didn't take that out of their package, but even Microsoft says that they fixed the vulnerability, and quicker than responsible disclosure asks for.

> I see nothing about how this driver doesn't have any other functions.

Obviously, you didn't look at it.

This is the irony of it all. There is nothing simple about writing a device driver to do what literally three lines of code in userland registering a service could have achieved. It is the furthest thing from a rushed design you could possibly do; it is taking the wrong turn 10 times and incurring exponential costs each time. That is why it's called a backdoor or malicious; it demonstrates unique niche knowledge in things that are the furthest imaginable distance from the shitty .NET amalgamation that their actual PC manager software is.

Quote the piece of the article that says that the driver has no other functions.

Particularly given that they describe how there's multiple ioctls.

And I can tell you from experience that relying on the service manager for a full watchdog solution is fraught with peril. It'll catch hard crashes, but not for instance dead locks.

Writing "drivers" that do questionable things for even more questionable reasons seems to be par for the course in the Windows ecosystem. If I understand the whole situation correctly, Fortnite installs WHQL certified kernel driver, whose sole purpose is to cause BSOD when LSASS.EXE maps pages from the Fortnite process...
Is that an anti-cheat feature?
(comment deleted)
As if the same OEMs would constrain themselves when targeting other platforms.
> I mean, it's goofy, hacky, and has obvious security flaws but doesn't look malicious.

Plausible deniability. If you were to implement a backdoor for a company, would you write "professionally done" all over it?

So now every bug on a privilege boundary is a backdoor, because of "plausible deniability"?
Did I say that? The point is that it just because it looks like an "honest mistake" doesn't mean it is. If you were to create a backdoor, that's exactly how you'd want to do it.

Given the circumstances, one might wish to err on the side of caution.

The microsoft article mentions that Windows Defender caught multiple machines performing kernel injections near the same time with this driver as the root cause. Meaning it was already being exploited.

This doesn't mean the actual flaw was malicious, but being actively exploited, it seems intent doesn't really matter.

I don't see anything saying this was being actively exploited; the non malicious use case would set off their scanners on all MateBooks running this driver.
from the article:

> While monitoring alerts related to kernel-mode attacks, one alert drew our attention:

>The alert process tree showed an abnormal memory allocation and execution in the context of services.exe by a kernel code. Investigating further, we found that an identical alert was fired on another machine around the same time.

This shows code injection taking place, via the exploited code. You are right that they don't mention what code was injected (probably they don't know)

> via the exploited code

Their scanner doesn't show any exploitation happening, and they don't say that it does.

I admit that I am reading into the line "abnormal memory allocation and execution" and thinking it's intentional.

You are right that they don't seem to know what code was being executed. Just that some code (be it real code or random garbage) was injected and executed.

It's intentional; it's not "exploitation". It's really doing privilege deescalation of the shellcode.

They know the code it's running for the most part, it's the CreatProcessW stuff they talk about.

Have you heard of plausible deniability?
So now every bug on a privilege boundary is a backdoor, because of "plausible deniability"?
Then what other kinds of software need to use a privilege escalation?
The code is designed to be a privilege _deescalation_. It's already running in kernel mode, and is deferring work to a user mode process.
To create a backdoor, you could not be obvious. Like do something obviously evil in the driver... You'd build it out of many building blocks in several components that individually look like honest mistakes. "Mistakes" that can be combined to create something malicious.

That's what you need to achieve plausible deniability. You'll need to make it look innocent.

(I also write Windows kernel mode drivers.)

Did you think that the recent Apache privilege escalation exploit is a malicious piece?
Problem: any well written exploit will be designed to look like a mistake.
Did your drivers also give usermode code the ability to map arbitrary memory addresses of the usermode code's choosing, thus granting full rw access to all memory pages in the system?

Either Huawei's driver developers are both incompetent and stupid or they're injecting malicious backdoors.

That's not what this driver does, you need to re-read the article.
> Having been able to freely invoke IOCTL handlers of the driver from user-mode, we looked for other capabilities that can be abused. We found one: the driver provided a capability to map any physical page into user-mode with RW permissions. Invoking this handler allowed a code running with low privileges to read-write beyond the process boundaries—to other processes or even to kernel space. This, of course, means a full machine compromise.

Please, continue.

Hanlon's razor - Never attribute to malice that which is adequately explained by stupidity.
Hanlon's razor is used by the malicious to fool the stupid. While we are spouting aphorisms, here's another one: "never say never".
Honest question: is it plausible that someone who is knowledgeable enough to understand and implement this exploit is also oblivious to ita exploitability?
Hell yes, device drivers and related tools are a cesspit of demon-worshipping excrements from outer space.
The Epoch Times has a very anti-PRC political stance. I've seen sensationalism in their reporting on the PRC.

It's understandable though, given their affiliation with the persecuted Falun Gong.

(Looks like the original URL has been changed to an actual Microsoft authored page.)

Agreed, it looks like the driver is just trying to keep MateBookServices.exe alive in a dumb way.

My guess is someone had a hard time deciphering MSDN rather than some malicious motivation. I've had to wade through the CreateProcess and svchost docs before, the options and security restrictions are labyrinthine. I'm not sure how some Chinese engineer reading a translation could much better.

Without stating a judgment one way or the other on the organization...

Epoch times is run by Falun Gong.

The Chinese official government line is that Falun Gong is an extremely dangerous cult that should be repressed. I've seen people on the English language internet intentionally comparing it to Jim Jones, David Koresh, etc.

In reality it seems to be more like a Chinese version of Scientology.

Hey, Scientology is about making money, aka apples and oranges. Lots of religious movements and suppression’s would be more apt, try puritans.
From what I've heard, Falun Gong is about making money too. It's basically "hey we'll help you and be real nice to you and help you get back on your feet. Now it's your turn to pay up with donations". Which seems better than scientology, I'd say it's most comparable to mormonism
Sounds like everybody on this list: https://en.wikipedia.org/wiki/Chinese_lists_of_cults

As far as I know, among them, Falun Gong and The Church of Almighty God was making false promise about their ability of "getting people back on their feet".

I don't know why people here are suddenly on fire when saw me put Falun Gong and cult together. In China, we use word "神棍"[0] to describe someone who fake their supernatural ability and pretend to be the messenger of god. And the word was come out before CCP even a thing, that alone can tell you something does it?

[0] https://zh.wikipedia.org/wiki/%E6%A3%8D%E9%A8%99#%E7%A5%9E%E...

Honestly, though, Falun Gong is barely even religious. Rather, it is Qi Gong practice with some "spirituality" bullshit. It's better compared to suburban yoga studios that sell smelly candles and "mindfulness" than Scientology, and it was actually pretty popular among PRC urbanites before the crackdown.
I'm all for assuming incompetence over maliciousness, but that requires a certain amount of goodwill and trust toward the perpetrator, which is something Huawei doesn't have.
(comment deleted)
From scanning the page it sounds like Huawei used a hack to make their MateBookService unkillable, unremovable, by unhooking in to services.exe. That in the process of that they left the possibility that the device they were using HwOs.*\.sys was only protected from being used by checking the program had the right path, thus leaving it open to crackers (it being basically g+rw) to use to get the ring-0 permissions needed to run the "stay resident"-type hack Huawei were using. And that in turn meant a process could overwrite MateBookService and gain it's own privelege escalation??

Am I close, if so: is there evidence that Huawei were using that access maliciously or was it just "to make sure their 'management software' retained it's place in the OS"??

We're talking about computers manufactured by Huawei here? Surely they can run code at a far lower level, is this MS and Huawei fighting over which of them "owns" the users computer?

[Slight aside: The MS page reads a lot like an advert. Nice link through to a page that itself has "start trial or buy" up top above the hero shot. Name drops some big vulns, Wannacry, DoublePulsar. Devalues the piece IMO because it seems the reason for them doing the work is solely to create an advert.]

I guess it's because Defender ATP is basically some kind of cloud-service for security and because everyone is running Windows for everything it's targeted at managers or so. I have no idea how useful it is, but I guess they have some advanced techniques to detect certain attacks (like this one, or the dropped DoublePulsar) - If you have to defend some important Active Directory Setup it's probably not a bad deal.

It's still ironic that Huawei get's some free audit for their stuff now and it's sold as they are bad, while everything is terrible - I won't install Logitech software after this epic bug here: https://bugs.chromium.org/p/project-zero/issues/detail?id=16...

Wow, that Logitech app is crazy huh, they just opened a port from all their Logitech Options users to anyone enabling them to make a remote keylogger.

MS must have written a huge exposé on that one, can't seem to find it on their Security site though.

Google writes about the bugs they find, Microsoft writes about the bugs they find. What's strange to you?
Meh, I just suspect they're not as forthcoming about bugs they find for their preferred hardware partners no matter how crazily bad they are. Partialism like that makes me distrust them, perhaps my skepticism falls the wrong way here, maybe I'm reading an undercurrent that's not there.
I at least trust that the things they report on to be accurate.
I just looked into that Logitech issue, it's interesting to note that contact was made with Logitech engineers in September. The engineers provided assurance that the issue was understood and would be fixed. Months pass... updates were released, none of which contained the security fix. December arrives and finally the vulnerability is made public, picked up by the media, and Logitech releases a fix within days.

It's a familiar pattern. If a large company were a biological organism, one of it's main pain signals would be negative PR. Prod the beast in other ways and it doesn't respond.

Not addressing the main point but the aside - I like it when companies have a clear financial interest in solving a problem.

Sure I get the warm fuzzies when a company like Google circa 2005 does something to help people with nothing obvious to gain from it. But in my experience companies like Google circa 2005 tend to become companies like Google circa 2019. People acting in their own interest are reliable.

The problem is that most incentives can be gamed. There are good and bad ways to get customers to buy more or make the stock price go up.

People are smarter than metrics. Increase the incentives and you also increase the incentive to cheat. Sometimes the best you can do is insulate people from incentives, so people have the leeway to do the right thing without acting against their own best interest.

Well, that's why there's generally a difference between market incentives and regulatory incentives. In this case, I believe we are referring to market based incentives, where gaming them is of limited use because the market should respond to that gaming.

That said, regulatory incentives and punishments have their place too, IMO generally where the market isn't responding well, or information isn't available enough to allow for an efficient market, or as a response to some other regulatory market effects. But, as you noted, you'll often get some interesting behavior right at the edge of where the regulation kicks in because there's often a hard change instead of a gradual shift as an efficient market would allow.

If gaming the markets is of limited use, I wonder why market participants put so much effort into it?

I mean, consider Wall Street, Las Vegas, used car sales - the list goes on and on. It's a rich area of storytelling that goes back to the dawn of recorded history.

If you say what you mean by gaming the system with any of those, Wall Street, Las Vegas, used car sales, maybe I can respond intelligently. As it is, I'm not sure what you're referring to. Most things I think of that would be considered gaming the system to do with those have to do with human rules applied to a system, instead of emergent market economics, and that's what I was referring to.

There is gaming of markets, but I think generally if it's not based on some regulation, it's because of information asymmetry (which is a market inefficiency).

All I was trying to point out in the prior comment is that there are different kinds of incentives. There are incentives that are constructed, and there are incentives that are natural. Constructed incentives are much easier to game. Natural incentives are emergent. Microsoft is incentivized to have good security for their OS now by the market in general, because it hurts them to not have good security (compared the the bast, where they could get away with lax security until it became a problem). That's emergent from the market and people deciding to use or not use their product. I wouldn't consider that "gaming the system", and if they did game it by talking a lot about security but not actually doing much, eventually the market should note that and respond appropriately.

Alternatively, Microsoft can reduce their tax burden by shifting business entities to different countries and shuffling how it appears their profit is created, so it's registered in a country with very little taxes, leading them to pay fewer taxes (not that they do, I don't know. I believe Apple and Google are reputed to do this). That's based on rules set by people, such as country boundaries and tax rates. Doing this could be considered "gaming the tax system". It requires specific changes to the rules to fix, it won't just shift naturally.

To me it appeared the comment you were responding to originally was using "incentive" in the pure form, meaning "benefit for doing so", and it appeared you were referring to incentive in the regulatory sense, where it's a human construction to influence behavior, but that's only a subset of the meaning.

At a high level, the market is supposed to provide an incentive to serve customers - "solving a problem" or "help people" as the original post put it.

My point is that real-world incentives are never perfectly aligned with such lofty, nebulous goals. They are about things you can measure such as how much money you can make. Making money is not the same as helping people and no incentive scheme is clever enough to make it so. Customers are often smarter than rules but even then, customers can be fooled. So there will always a way to make money without helping people and when you increase incentives, it also increases incentive to do things that aren't actually the goal.

This means that to some extent we rely on people to follow the spirit of the incentives and not to simply be amoral incentive-maximizers.

(This is closely related to the principal-agent problem, except the principal here is society in general.)

> At a high level, the market is supposed to provide an incentive to serve customers

That's not what markets do. Markets are a means of efficiently and accurately pricing things in a responsive way. Some markets don't even have customers. That price may or may not be money, depending on the market in question.

> My point is that real-world incentives are never perfectly aligned with such lofty, nebulous goals.

For markets, definitely not, since that's not really what they are for, and any created incentive will at best attempt to move a market towards that.

> Making money is not the same as helping people and no incentive scheme is clever enough to make it so. Customers are often smarter than rules but even then, customers can be fooled. So there will always a way to make money without helping people and when you increase incentives, it also increases incentive to do things that aren't actually the goal.

Nobody here has said it is. The original comment noted "People acting in their own interest are reliable." I interpreted that to mean "when there are forces urging a person or group to act a certain way for their own self interest, it's easier to rely on them to continue acting that way". If Microsoft benefits from doing something that benefits others, it's easier to rely on them to continue doing that. I'm still not sure what point you were trying to make from that, since I'm not following how your latest comment relates to that or to my call for clarification, since I thought maybe you were interpreting the statement somewhat differently than I was.

My point is that "Microsoft benefits from doing something that benefits others" is never going to be entirely true, or at least not for long.
Autodesk benefits from providing students CAD software in school so that they use it in the workplace. This benefits the students, who no longer have to buy a license during college, and benefits them (Autodesk) by making sure they have a "captive market". Gaming the system? Yes- it plays to the needs of poor college students, who then are comfortable with their development environment and don't want to learn another thing, too.

As long as Autodesk is providing this program, students are:

A) not pirating their software,

B) becoming used to their tools (being completely unfamiliar with CAD as an engineer is a bad start), and

C) starting in the Autodesk ecosystem.

As long as students keep using Autodesk's platform, Autodesk is:

A) strengthening its market share

B) able to continue development (because the now-working previously students are using their software)

C) Relevant in the college setting, where professors have a large say in what goes and what doesn't.

There are probably always going to be college students, there are probably always going to be engineering jobs, and engineers will always need to have a CAD package. As long as those two things exist, Autodesk (or any other company with a CAD package) can gain goodwill, ensure relevancy, and invest in their future by giving their software away for free now. This is "gaming" a market in a long-term symbiotic manner.

Full disclosure: I'm an engineering student, in high school, and really appreciate the free copies of Autodesk Inventor and Dassault Systemes' Solidworks that I've gotten.

Apologies for digressing, but this is an important point.

Instead of the facile happytalk "Don't Be Evil", a much better slogan might be "Be as evil as you want, just don't hide anything from me and let's have an open and honest relationship"

Companies keep using the average user's technology ignorance against them. That was kinda cool and probably acceptable when you were the smart kid making a few dollars here or there, everybody loves the story of some genius hacker able to figure out the stock market and made a small fortune on a stunt they could never repeat, but this has gotten completely out of hand. It's gotta stop. We need to start acting in the user's best interests as if they knew as much about the business as we do. That's the only ethical way forward from here.

Word. I very much miss a serious ethical discussion in the tech crowd that I see myself as part of, being a developer. I think we should admit that we are part of a technocracy. If you know the tech you may pull any stunt off, even when you're a big company. The people that need question our actions are not likely to understand the problem.

To cut short to my conclusion: We should be more humble about our less tech educated users and act accordingly.

  Companies keep using the average user's technology ignorance against them.
So, then, do OSS things like vsCode, which are made for developers, go in the "Company plays to the users technological strengths" column"?
When you buy a computer, whom do you trust? Microsoft, for keeping the manufacturers at bay?
It's not a question of who owns the computer; the software was trying to do things that Microsoft totally agree with - so much so that Microsoft have a published "right way" of doing it.
Is there any value in these driver add-on tools that manufacturers ship?

Like printer drivers they seem to be badly coded messes that create attack surfaces.

For a typical laptop everything except bios updates can be got straight from the vendor of the component.

I'm surprised microsoft haven't started distributing stuff like GPU, Chipset and other drivers themselves.

With Win10 they do ship those drivers through Windows updates.
They’ve done it for previous versions as well. I think that practice goes back to Vista at the very least.
It started in Vista, AFAIK, but it didn't really become reliably useful for _most_ of the drivers on even relatively common hardware configurations until 7, and even now it's still not complete (I installed a Coffee Lake-era Intel desktop with Win10, and I still got to play Hunt the Unknown Device Driver even after the endless reboots for updating had installed every driver Windows Update offered, and that's for onboard peripherals, not a fly-by-night USB device or PCIe card.)
For future people with troubles you could go try sdi-tool.org which works nice for me and a lot of friends for years now.
I have a Matebook D. The manager is useful to update your drivers all at once (plus your bios too). It's the only program that comes with the laptop, so no bloatware. I've been happy with the laptop, and I don't think there is any malice here, just a stupid mistake, that they already have fixed it.
It is not what they can do now and be fixed but what tubes can do in the future.

But can each country has their own manufactured computer and os? Or region?

Thanks a lot Microsoft. Now they have to create a new backdoor.
Given China's preponderance to mass surveillance and Huawei's obvious ties to the state, it's probably smart to take a critical look at anything they write. Willful ignorance and incompetence or cleverly crafted vuln with plausible deniability?

I guess, does it even matter at that point if you get ring-0 permissions? Probably shouldn't ever use their products regardless of the cause.

Honestly, Microsoft's shitbird security track record for the past umpteen years is such a clusterfuck that it's impossible to consider them as doing anything other than deliberately shipping the leakiest possible operating system to as many Americans as possible, with express intent to open a general surveillance portal exposing every user to analytical scrutiny for decades on end.

And with that, also a shrug, because yoooooooouuuuu asked for it!

From 95 to 98 to NT to 2000 to XP to Vista, and on and on, and it only gets worse.

But hey, woah! Now someone else is sticking their nose in front of America's magic mirror??? My goodness! Heavans to Betsy!

If Microsoft hadn't been such utter garbage since nineteen ninety fucking five, interrupting my fucking life with unstoppable automatic updates "for security patches" every other week... patches that forbade me from unplugging a machine in my own home, lest summarily it brick itself, I might be inclined to raise an eyebrow at yet another vulnerability, but alas... That's not the years of Microsoft history I remember.

The thing already had ring 0 permissions, the code with the bug in it is a kernel driver.
Mcrosoft! Finding a privilege Escalation! In someone else's software!

The world is turned upside down.

Weird approach by Huawei. If you want a program to stay up and running, you write a windows service; autostart with restart for recovery in case of crash. The service process can set its own DAC so that only SYSTEM can open its handle, hence the process in inaccessible/unkillable to ordinary users, even administrators.

The knowledge needed to do so is far less than what is needed to pull the hack that Huawei did.

So to quote another user:

> Problem: any well written exploit will be designed to look like a mistake.

and given the above, I'm inclined to believe that this was meant as a deniable exploit ("honest mistake").

What I wrote above is what I miss in the MS's analysis. There are cleaner and simpler ways to achieve what Huawei tried to accomplish. I would be astonished that the person(s) having knowledge to write a kernel driver don't know about DACLs and how to use them to prevent tampering with a process.

EDIT: The article does end with guidelines. However, I'd be more happy if MS explicitly wrote "They should have done THIS (using exising, well-documented, UM only OS functionality) instead to achieve their goal."

Perhaps they wanted the service killable, but for it to always restart?

Considering the physical memory mapping stuff, I wouldn't be surprised if the service doesn't have some roles firmware should have had - for example ensuring the battery charger is stopped when the battery is fully charged to prevent a fire.

That isn't a safe approach, as your laptop becomes a file hazard as soon as you install any other OS (even clean windows!). I'm not sure that this is a more robust mechanism for achieving that outcome than a Windows service in any case.
> Perhaps they wanted the service killable, but for it to always restart?

Then you use a DACL than gives only PROCESS_TERMINATE permission [1] to the desired group (Administrators, Users, …). If killed, service control manager will figure out that the program exited abnormally and restart it.

[1] Overview of all permissions on process objects that can be allowed or denied in a DACL https://docs.microsoft.com/en-us/windows/desktop/ProcThread/...

That doesn't kill dead locked processes, or processes that aren't listening on the management IF. You see this with services that can't be "sc stop"ed.
Maybe, as some posters in this thread are suggesting, this should not be read as a PR article. This should be read as a "Huawei (and others) we are watching you. Stop doing those things we are able to spot your doings, and we are willing to show the world". Of course the article touts about the ability of defender and their forensics team, but there is definitely a possibility that another message is being conveyed. As I am working mostly in web etc I have no experience in writing drivers so this is quite a few software layers below my comfort zone. However, to me having read the article, it seems that the "Watchdog" goal achieved by Huawei's code is done in such a round about fashion that is either a combination of "skilled but sloppy programmer" or "skilled and not sloppy but wanting to be perceived as sloppy". Some context, WannaCry and DOUBLEPULSAR are mentioned several times. Read about the NSA backdoors: https://en.wikipedia.org/wiki/EternalBlue https://en.wikipedia.org/wiki/DoublePulsar

Etrnal Blue was leaked from NSA and developed into WannaCry

Another piece of context, the article says that the issue was resolved together with Huawei. Why then make a publicly available article about it naming the company? Why not just patch and pretend that there were no issue, or patch and with a more generic description "we have implemented a mechanism to monitor drivers that might try to execute arbitrary code"?
If you don't mention the company you implicate everyone.
That happens all the time as it's relatively normal to do so in this type of disclosure . With the political focus on Huawei these days it's likely just people noticing this message more than others, it's not like other big manufacturers show better security practices. With Huawei in particular, MS as a US company really couldn't have omitted the name from the disclosure without being put in a weird spot later down the road.

While I agree with other posters that the wording of this disclosure is unnecessarily mixed with a PR piece, naming companies for me is crucial as it allows end users to assess their own impact o f a vulnerability and also puts a public track record on these vendors.

I may be cynical but:

>Our discovery of the driver vulnerabilities also highlights the strength of Microsoft Defender ATP’s sensors. These sensors expose anomalous behavior and give SecOps personnel the intelligence and tools to investigate threats, as we did.

>Anomalous behaviors typically point to attack techniques perpetrated by adversaries with only malicious intent. In this case, they pointed to a flawed design that can be abused. Nevertheless, Microsoft Defender ATP exposed a security flaw and protected customers before it can even be used in actual attacks.

Seems to me a lot like "the ATP sensors and the SecOps did what they are supposed to do" followed by some self-patting/self-applauding on how good the MS technology and guys are good at it.

so many spies... Why are they afraid of saying that China is trying to spy and steal your intellectual property. It's an established fact by now.
So these "alerts" are coming from Microsoft's cloud-powered anti-malware service? It's kind of disturbing that they have enough data on Microsoft servers to conduct such an in-depth after-the-fact investigation of events on an endpoint machine. Are businesses really OK with sharing telemetry on this level?