Share this article

Latest news

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

Microsoft addresses malicious exploitation of certified Windows drivers

2 min. read

Published onJuly 12, 2023

published onJuly 12, 2023

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

Yesterday, Microsoft published asecurity advisory, ADV230001, addressing a concerning issue related to numerous drivers certified by the Windows Hardware Developer Program. These drivers were found to be exploited maliciously in post-exploitation activities. The discovery of this problem was credited to the diligent researchers at Sophos, who promptly notified Microsoft in early February 2023. To further emphasize the severity of the situation, Microsoft disclosed that both Trend Micro and Cisco also submitted their reports, collectively identifying 133 unsafe drivers, including non-certified ones.

Upon conducting a subsequent investigation, Microsoft uncovered that several developer accounts associated with the Microsoft Partner Center (MPC) were involved in submitting these malicious drivers to obtain a Microsoft signature. Consequently, all of these accounts were swiftly suspended. In addition, Microsoft implemented additional measures, such as blocking detections (commencing with Microsoft Defender 1.391.3822.0), which protect against legitimately signed drivers exploited in post-exploit activities.

In their findings, Sophos revealed the existence of two types of malicious drivers employed in recent attacks. The first type is similar to the maliciously signed drivers discovered last year and falls under the “Endpoint protection killer.” The second type resembles a rootkit, designed to operate discreetly as an inconspicuous background task.

Fortunately, home users need only ensure their operating systems are kept up to date, as no other devices or services have been impacted by these issues except for Windows PCs. Consequently, Azure, Xbox, or Microsoft 365 users can rest assured that they have no cause for concern.

viaNotebookCheck

Davesh Beri

User forum

0 messages

Sort by:LatestOldestMost Votes

Comment*

Name*

Email*

Commenting as.Not you?

Save information for future comments

Comment

Δ

Davesh Beri