Huaweis MateBooks, with its own PCManager software active, ran a potential security risk due to an unsafe driver, Microsoft discovered. The manufacturer released an update in January to fix the problem.
The most interesting part of the story, as Ars Technica points out, is the way in which Microsoft discovered the problem. The insecure driver was detected using new monitoring tools added to Windows Defender Advanced Threat Protection (ATP) in Windows 10 1809, the October 2018 Update.
In addition to using signature-based malware detection, Defender ATP performs behavioral analysis to detect suspicious activity if malware is not immediately identified. Every suspicious movement of software on a system is sent to the cloud to be evaluated using machine learning.
DoublePulsar
For example, in Windows 10 1809 monitoring tools were added to detect DoublePulsar-like attacks. DoublePulsar is an attack technique that was developed by the NSA, eventually leaked out and since then has also been used in criminal circles. It has already been used in the WannaCry-ransomware, among other things.
DoublePulsar abuses a legitimate process, asynchronous procedure calls (APC), which allows a thread to be temporarily redirected to stop its current function, perform another function first, and only then continue with the original function.
In the event of an attack, code is copied to the memory of an actively privileged process and the system is then instructed by an APC to execute the code immediately. Individually, both steps are innocent, but when they happen together, this can be an indication of a DoublePulsar attack.
Huawei driver
Microsoft discovered that a Huawei driver for the PCManager software on MateBooks showed exactly that behavior. The driver acted as a kind of watchdog who kept an eye on whether a certain service of PCManager remained active to automatically restart it after a possible crash.
For this purpose, code was injected into a privileged Windows process, which was then executed via an APC. A technique from the booklet of the NSA. Ars Technica notes that there was actually no good reason for Huawei to apply this method: Windows has built-in functionality to reboot crashed services.
Huawei had taken some measures to ensure that the driver could only communicate with Huaweis’ own service. Incorrect permissions, however, meant that even an unauthorized process could theoretically take over the function of the driver in order to carry out an attack in this way and gain full access to the system.
Second vulnerability
The driver also had another serious vulnerability, according to further research by Microsoft. This gave an attacker the opportunity to make adjustments to the kernel.
Huawei was notified by Microsoft and solved the problems in an update that appeared in early January. Users can protect themselves against the vulnerabilities by ensuring that their software is up to date or by uninstalling the PCManager software.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.