Microsoft ATP Uncovers Critical Security Flaw in Huawei Drivers

microsoft-atpIn almost any industry, cybersecurity is a critical issue. Computers used by employees frequently contain sensitive company information—such as the company’s intellectual property (IP), financial information, or client information. However, cost concerns often drive companies to either supply cheaply-made PCs with barebones security, or to adopt “bring your own device” (BYOD) policies where employees bring personal devices to use for work.

The potential risk of using computers that aren’t properly secured was highlighted when Microsoft discovered a major security flaw in Huawei’s PCManager software drivers earlier this year. Although, as noted in an arstechnica.com article about the discovery: “The interesting part of the story is how Microsoft found the bad driver in the first place.”

How Did Microsoft Discover the Huawei Driver’s Security Flaw?

The security flaw which would allow unprivileged users create processes with “superuser” or admin privileges was uncovered by Microsoft’s Defender Advanced Threat Protection (ATP) service which was part of Windows 10 version 1809. As stated by Ars Technica, “Microsoft Defender ATP does not rely solely on signature-based endpoint antimalware to detect known threats; it also uses heuristics that look for behavior that appears suspicious, even if no particular malware has been identified.”

This behavior-based approach to identifying security breaches is what allowed Microsoft’s ATP solution to detect the security flaw in the Huawei driver. The machine learning algorithm was able to spot the anomalous behavior caused by the Huawei driver, which used asynchronous procedure calls (APCs) similar to a DOUBLEPULSAR-type backdoor hackers might use to gain access to a system.

The Ars Technica article explains that “DOUBLEPULSAR is one of the many techniques devised by the National Security Agency” which “provides a way for a compromised kernel driver to run code in user mode.” In these backdoors, APCs are used to force a thread to stop running and switch to a different function—typically one using malware code.

After the leak of DOUBLEPULSAR, it was incorporated into malware attacks, which is why, as noted by Ars Technica, “Windows 10 version 1809 included sensors to record these kernel operations that are known to be useful for malware.” The Huawei driver in question used APC to force a restart of its built-in software if it crashed or stopped running, which is why it triggered the Microsoft ATP solution.

Why Was This Security Flaw an Issue?

How did Huawei’s driver using an APC to force software restarts pose a security threat to users and, by extension, businesses? As the Ars Technica article mentions:

“improper permissions meant that even an unprivileged process could hijack the driver’s watchdog facility and use it to start an attacker-controlled process with LocalSystem privileges, giving that process complete access to the local system.

Microsoft’s researchers then continued to look at the driver and found that it had another flawed capability: it could map any page of physical memory into a user process, with both read and write permissions.”

The first issue would give attackers an easy way to insert malware, while the second issue would allow them to make major alterations to the system kernel itself. Being able to alter the kernel would give attackers carte blanche to do almost anything—making it an incredibly dangerous security flaw.

What Does This Discovery Mean for Your Organization?

Odds are, the vulnerability from the Huawei driver will have little impact on security—if your organization is keeping up with the latest driver patches. As noted in the Ars Technica article, “Huawei fixed the driver and published the safe version in early January.” So, any Huawei systems with updates more recent than that should be safe from this security flaw.

However, the mere existence of this security flaw highlights the need for businesses to carefully and thoroughly scrutinize their hardware and software vendors. If the vendor isn’t thoroughly securing their hardware/software, or introduces “features” that actively impair security, it may be necessary to switch vendors.

This is part of the reason why Protected Trust specializes in Microsoft Surface devices. These devices are manufactured by Microsoft and are built to provide security while fostering collaboration through Microsoft Teams. We top this with our “Teams on any Surface” service, where we provide managed desktops that run a security-hardened version of Windows 10.

New call-to-action

Curious about how you can provide your team members with safe and secure collaboration and productivity tools? Schedule an introduction with our team today!

Recent Posts