Category Archives: Windows 10

Nansh0u Miner Attack 50000 MS-SQL, PHPMyAdmin Servers

Chinese hackers and secretly exploited more than 50,000 MS-SQL and PHPMyAdmin for TurtleCoin as part of a large-scale crypto hacking campaign called Nansh0u.

The campaign was discovered in early April and began on 26 February. It focused on servers around the world, including companies from different sectors, with more than 700 victims a day.

According to the Guardicore Labs team which discovered the attacks, “During our investigation, we found 20 versions of malicious payloads, with new payloads created at least once a week and used immediately after their creation time,” and the hackers used “five attack servers and six connect-back servers”.

The Guardicore Labs team attributed this campaign to Chinese operators using multiple indices:

To put the Windows MS-SQL and PHPMyAdmin servers at risk, hackers have used a variety of tools, including a port scanner, an MS SQL brute force tool and a remote execution engine.

With the help of port scanner, they were able to find MS SQL servers by checking the default MS SQL ports were open. These servers would automatically be integrated into the brute force tool, which would attempt to hack the servers with thousands of frequently used credentials.

Once they breach the servers, the Nansh0u campaign operators infect them with 20 different versions of malicious data using an MS-SQL script that downloads and sends user data to vulnerable computers. An elevation of the privilege vulnerability CVE-2014-4113 has been exploited to execute payloads using SYSTEM privileges on infected servers, with each payload eliminated and executed designed as a wrapper for the execution of multiple actions.

As Guardicore researchers noted after analyzing the samples collected through the Global Guardianore sensor network (GGSN) from the attack servers, the wrappers revealed the following:

• Execute the crypto-currency miner;
• Create persistency by writing registry run-keys;
• Protect the miner process from termination using a kernel-mode rootkit;
• Ensure the miner’s continuous execution using a watchdog mechanism.

XMRig and JCE cryptocurrency companies use four data mining pools for TurtleCoin, a confidentiality-oriented cryptocurrency with fast transactions and with all private transactions, provided they are not for public.

Many of the remaining servers on infected user data have also been dropped a kernel mode driver with random names and masked VMProtect code that is not recognized by most AV engines.

The driver also signed a revoked by Verisign certificate from a Chinese company called Hangzhou Hootian Network Technology. It is to “protect processes and prevent the user from closing.

Kernel-mode driver digital signature
It also “contains additional rootkit functionality such as communicating with physical hardware devices and modifying internal Windows process objects that are unused by this particular malware.”

In addition, the kernel-mode driver, which ensures that the remote malware is not interrupted virtually all Windows versions from Windows 7 to Windows 10, including the beta versions support it.

The Guardicore Labs team provides a full list of IOC for this campaign encryption available, including Payload hashes, IP addresses used in attacks and pull Pool domains.

In addition, a PowerShell script is provided. Nansh0u campaign can be viewed on infected computers with the potential for a contaminated server to be traced.

The post Nansh0u Miner Attack 50000 MS-SQL, PHPMyAdmin Servers appeared first on .

Prolific Hacker SandboxEscaper Demos Windows 10 Zero-Day Exploit

Since 2015, Microsoft casually declared that Windows 10 is the last version of Windows, as Redmond geared-up on making their operating system a software-as-a-service (SAAS). It will forever be marketed as Windows 10 with two major yearly updates containing new features and enhancements, to the delight or annoyance of the users. Of course, as a dynamically changing operating system since 2015 (the 2015 Windows 10 was dramatically a very different animal to 2019’s Windows 10), the introduction of new features inadvertently comes with new bugs to exploit and discovery of flaws that weren’t existing before the update surfaces for cybercriminals to take advantage of.

Recently, a zero-day exploit proof-of-concept has been publicly released by a researcher with an alias of “SandboxEscaper”, detailing the weakness of the Windows 10 operating system. Publicly demonstrated through a GitHub page, the zero-day flaw is a remote code privilege escalation bug that may allow an attacker to take control of the vulnerable Windows 10 computers without any user’s knowledge. Taking advantage of the longtime vulnerability residing in the Task Scheduler service, SandboxEscaper was able to tap on SchRpcRegisterTask, a permission-less register by-default to create access control list permissions. That means any executable that uses a malformed Task Scheduler task using SchRpcRegisterTask can run it with system-privilege (administrator access).

This gives the attackers full control of the computer if they execute a relevant executable that has control to the PC, like Windows Explorer, Regedit or any System Tools available to the system administrator like the Managed Computer Window. The flaw clearly can be exploited under both 32-bit and 64-bit versions of Windows 10, including its server counterparts, Windows Server 2019 and its immediate predecessor Server 2016.

Hackers and researchers often keep zero-day vulnerabilities secret
SandboxEscaper also teased about at least four more zero-day exploits against Windows that she/he knows of but decided to keep secret for the time being. He hinted that 3 out of 4 were local privilege escalation bugs, while the other one is a sandbox escape bug. Microsoft has yet to fix the bug that SandboxEscaper revealed, as Redmond just issued its patch Tuesday last May 14, 2019. Hence, anyone interested in taking advantage of the Scheduled Task flaw may weaponize it against Windows 10 users until Microsoft finally issues an out-of-cycle patch to fix the vulnerability.

Unless Microsoft flexes its muscles again of issuing an out-of-cycle patch, expect the fix on the next update Tuesday, most probably on June 11, 2019.

Related Resources:

Windows 10, 8.1 and 7 Getting Bricked After April 2019 Windows Update

Windows 10 Insider Preview Build 17672 Is About Fighting Malware

Latest Windows 10 Comes With Malware Protection

The Anti-Ransomware Edition- Windows 10 Security Features

The post Prolific Hacker SandboxEscaper Demos Windows 10 Zero-Day Exploit appeared first on .

New browser extensions for integrating Microsoft’s hardware-based isolation

The hardware-based isolation technology on Windows 10 that allows Microsoft Edge to isolate browser-based attacks is now available as a browser extension for Google Chrome and Mozilla Firefox.

We introduced the container technology in 2017. Since then, we have been evolving the technology and engaging with customers to understand how hardware-based isolation can best help solve their security concerns. We know that many of our customers depend on multi-browser environments to allow enterprise apps to meet various compatibility requirements and enable productivity. And while modern browsers are continuously working to mitigate vulnerabilities, there are still exposures across these complex engines that can lead to irreversible and costly damages.

To provide customers with a comprehensive solution to isolate potential browser-based attacks, we have designed and developed Windows Defender Application Guard extensions, now generally available, to allow customers to integrate hardware-based isolation with Google Chrome and Mozilla Firefox.

How it works

The extensions for Google Chrome and Mozilla Firefox automatically redirect untrusted navigations to Windows Defender Application Guard for Microsoft Edge. The extension relies on a native application that we’ve built to support the communication between the browser and the device’s Application Guard settings.

When users navigate to a site, the extension checks the URL against a list of enterprise sites defined by enterprise administrators. If the site is determined to be untrusted, the user is redirected to an isolated Microsoft Edge session. In the isolated Microsoft Edge session, the user can freely navigate to any site that has not been explicitly defined as enterprise-trusted by their organization without any risk to the rest of system. With our upcoming dynamic switching capability, if the user tries to go to an enterprise site while in an isolated Microsoft Edge session, the user is taken back to the default browser.

To configure the Application Guard extension under managed mode, enterprise administrators can follow these recommended steps:

  1. Ensure devices meet requirements.
  2. Turn on Windows Defender Application Guard.
  3. Define the network isolation settings to ensure a set of enterprise sites is in place.
  4. Install the new Windows Defender Application Guard companion application from the Microsoft Store.
  5. Install the extension for Google Chrome or Mozilla Firefox browsers provided by Microsoft.
  6. Restart the device.

Intuitive user experience

We designed the user interface to be transparent to users about Windows Defender Application Guard being installed on their devices and what it does. We want to ensure that users are fully aware that their untrusted navigations will be isolated and why.

  1. When users initially open Google Chrome or Mozilla Firefox after the extension is deployed and configured properly, they will see a Windows Defender Application Guard landing page. 
  2. If there are any problems with the configuration, users will get instructions for resolving any configuration errors. 
  3. Users can initiate an Application Guard session without entering a URL or clicking on a link by clicking the extension icon on the menu bar of the browser.

Commitment to keep enterprise users and data safe

Hardware-based isolation is one of the innovations that enhances platform security on Windows 10. It is a critical component of the attack surface reduction capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) and the broader unified security in Microsoft Threat Protection. With the new Application Guard extension for Google Chrome and Mozilla Firefox, customers can extend the security benefits of isolation in their environments and further reduce attack surface. Customers can confidently navigate the expansive internet with protection for enterprise and personal data.

The Windows Defender Application Guard extensions for Google Chrome and Mozilla Firefox are now available for Windows 10 Professional, Enterprise, and Education SKUs, version 1803 and later with latest updates.


Rona Song
Windows platform security team



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Follow us on Twitter @MsftSecIntel.

The post New browser extensions for integrating Microsoft’s hardware-based isolation appeared first on Microsoft Security.

WhatsApp, Microsoft and Intel Chip Vulnerabilities

Quickly applying software updates (patching) to mitigate security vulnerabilities is a cornerstone of both a home and business security strategy. So it was interesting to see how the mainstream news media reported the disclosure of three separate ‘major’ security vulnerabilities this week, within WhatsApp, Microsoft Windows and Intel Processors.


The WhatsApp security flaw by far received the most the attention of the media and was very much the leading frontpage news story for a day. The WhatsApp vulnerability (CVE-2019-3568) impacts both iPhone and Android versions of the mobile messaging app, allowing an attacker to install surveillance software, namely, spyware called Pegasus, which access can the smartphone's call logs, text messages, and can covertly enable and record the camera and microphone.

From a technical perspective, the vulnerability (CVE-2019-3568) can be exploited with a buffer overflow attack against WhatsApp's VOIP stack, this makes remote code execution possible by sending specially crafted SRTCP packets to the phone, a sophisticated exploit.

Should you be concerned?

WhatsApp said it believed only a "select number of users were targeted through this vulnerability by an advanced cyber actor." According to the FT, that threat actor was an Israeli company called ‘NSO Group’. NSO developed the exploit to sell on, NSO advertises it sells products to government agencies "for fighting terrorism and aiding law enforcement investigations". NSO products (aka "spyware") is known to be used by government agencies in UAE, Saudi Arabia and Mexico.

So, if you are one of the 1.5 billion WhatsApp users, not a middle-east political activist or a Mexican criminal, you probably shouldn’t too worry about your smartphone being exploited in the past. If you were exploited, there would be signs, with unusual cliches and activity on your phone.  Despite the low risk at present, all WhatsApp users should quickly update their WhatsApp app before criminals attempt to ‘copycat’ NSO Group exploitation.

How to Prevent 

Update the WhatsApp app.

  • Open the Apple AppStore App
  • Search for WhatsApp Messenger
  • Tap 'Update' and the latest version of WhatsApp will be installed
  • App Version 2.19.51 and above fixes the vulnerability
  • Open Google Play Store
  • Tap the menu in the top left corner
  • Go to “My Apps & Games”
  • Tap ‘Update’ next to WhatsApp Messenger and the latest version of WhatsApp will be installed
  • App Version 2.19.134 and above fixes the vulnerability
Microsoft Worm Vulnerability CVE-2019-0708
Making fewer media headlines was the announcement of a new “wormable” vulnerability discovered within the various versions of the Microsoft’s Windows operating system.  The vulnerability CVE-2019-0708 is within Window's “remote desktop services” component.

This vulnerability is by far the most dangerous vulnerability reported this week, probably this year, it is a similar flaw to what the WannaCry malware exploited on mass in May 2017. WannaCry was a ransomware worm which severely impacted the operation of several large organisations, including the NHS. It exploited a similar Microsoft Windows vulnerability which enabled the malware to quickly self-propagate (worm) across networks and infecting vulnerable systems on mass with ransomware, rendering such systems unusable.

Such is the concern of a second WannaCry style attack due to this flaw, Microsoft has taken the rare step of releasing security patches for their unsupported versions of the Windows operating system, such as Windows XP and Windows Server 2003. 

How to Prevent
Apply the latest Microsoft Windows Update. Microsoft has said anti-virus products will not provide any protection against the exploitation of this vulnerability, therefore applying the Microsoft May 2019 Security Update, as released on Tuesday 14th May 2019, is the only way to be certain of protecting against the exploitation of this critical vulnerability 

Ensure automatic updates is always kept switched on. Windows by default should attempt to download and install the latest security updates, typically you will be prompted to apply the update and accept a reboot, do this without delay. 

To double check, select the Start menu, followed by the gear cog icon on the left. Then, select Update & Security and Windows Update.

Businesses must also seek to apply Microsoft security updates as soon as they are released. Typically large organisations control the release of Microsoft security patches centrally, they should monitor and risk assess the importance of newly released security updates, and then apply across their IT estate at a rate based on risk.

Intel CPU ZombieLoad Vulnerability
There was little mainstream coverage about a third major security vulnerability reported this week. Coined 'ZombieLoad side-channel processor', this vulnerability is present in almost every Intel processor made since 2011. This hardware vulnerability is a concern to businesses which use or provide cloud services. This flaw can also be mitigated by patching, with Microsoft, Apple, Amazon and Google all releasing security patches. For further information about the Intel CPU vulnerability, read the following posts.

How do I buy a laptop with an encrypted hard drive?

Derek needs to find a laptop with Windows 10 Home’s device encryption to keep his data safe

I want to buy a new Windows 10 laptop for home use, and I want one with device encryption capability, so that the boot drive is encrypted. Until recently, this has only been possible with Windows Professional editions using BitLocker. I now see that if a laptop has the right specification, all versions of Windows 10 can have device encryption turned on.

The problem is that it’s difficult, if not impossible, to get information from mainstream laptop vendors as to whether a specific model supports device encryption. Recent MacBooks are capable of using FileVault and Apple spells out which models support it, so why is this information so hard to find for Windows laptops? Derek

I’m glad you asked because you’re right: there’s a shocking lack of information about device encryption on laptops, and this applies to Microsoft, to PC manufacturers, and to retailers. It’s also something that laptop PC reviewers rarely seem to mention, which makes it hard, if not impossible, to tell how many laptops are compatible with Windows 10’s device encryption.

Continue reading...

How do I stop old USB drives from infecting my new Windows PC?

Jason wants to protect his new high-end laptop from viruses but needs data on old SD cards

I’ve just bought a high-end Windows laptop for video editing while travelling around Europe. What steps can I take to prevent any possible infections from being passed on from previous machines on SD cards and external hard drives? Some of the external hard drives go back to machines from 2004 but I have never plugged any of them into any computers other than my own previous Macs and PCs. I work professionally with video, photography and coding, so all of this data is vital.

I have a five-machine Bitdefender licence but I’d be prepared to use another protection system, and I’ve looked at Sophos Intercept X. Jason

There are at least three things to think about. First, there’s the threat level: how at risk are you? Second, there’s provenance: how much do you know about your devices? Third, how can you mitigate any risks revealed by the answers to the first two questions?

Continue reading...

Alarming! : Windows Update Automatically Downloaded and Installed an Untrusted Self-Signed Kernel-mode Lenovo Driver on New Surface Device


Given what it is I do, I don't squander a minute of precious time, unless something is very important, and this is very important.

Let me explain why this is so alarming, concerning and so important to cyber security, and why at many organizations (e.g. U.S. Govt., Paramount Defenses etc.), this could've either possibly resulted in, or in itself, be considered a cyber security breach.

Disclaimer: I'm not making any value judgment about Lenovo ; I'm merely basing this on what's already been said.

As you know, Microsoft's been brazenly leaving billions of people and thousands of organizations worldwide with no real choice but to upgrade to their latest operating system, Windows 10, which albeit is far from perfect, is much better than Windows Vista, Windows 8 etc., even though Windows 10's default settings could be considered an egregious affront to Privacy.

Consequently, at Paramount Defenses, we too felt that perhaps it was time to consider moving on to Windows 10, so we too figured we'd refresh our workforce's PCs. Now, of the major choices available from amongst several reputable PC vendors out there, Microsoft's Surface was one of the top trustworthy contenders, considering that the entirety of the hardware and software was from the same vendor (, and one that was decently trustworthy (considering that most of the world is running their operating system,)) and that there seemed to be no* pre-installed drivers or software that may have been written in China, Russia etc.

Side-note: Based on information available in the public domain, in all likelihood, software written in / maintained from within Russia, may still likely be running as System on Domain Controllers within the U.S. Government.

In particular, regardless of its respected heritage, for us, Lenovo wasn't  an option, since it is partly owned by the Chinese Govt.

So we decided to consider evaluating Microsoft Surface devices and thus purchased a couple of brand-new Microsoft Surface devices from our local Microsoft Store for an initial PoC, and I decided to personally test-drive one of them -

Microsoft Surface

The very first thing we did after unsealing them, walking through the initial setup and locking down Windows 10's unacceptable default privacy settings, was to connect it to the Internet over a secure channel, and perform a Windows Update.

I should mention that there was no other device attached to this Microsoft Surface, except for a Microsoft Signature Type Cover, and in particular there were no mice of any kind, attached to this new Microsoft surface device, whether via USB or Bluetooth.

Now, you're not going to believe what happened within minutes of having clicked the Check for Updates button!

Windows Update
Downloaded and Installed an Untrusted
Self-Signed Lenovo Device Driver on Microsoft Surface! -

Within minutes, Windows Update automatically downloaded and had installed, amongst other packages (notably Surface Firmware,) an untrusted self-signed Kernel-mode device-driver, purportedly Lenovo - Keyboard, Other hardware - Lenovo Optical Mouse (HID), on this brand-new Microsoft Surface device, i.e. one signed with an untrusted WDK Test Certificate!

Here's a snapshot of Windows Update indicating that it had successfully downloaded and installed a Lenovo driver on this Surface device, and it specifically states "Lenovo - Keyboard, Other hardware - Lenovo Optical Mouse (HID)" -

We couldn't quite believe this.

How could this be possible? i.e. how could a Lenovo driver have been installed on a Microsoft  Surface device?

So we checked the Windows Update Log, and sure enough, as seen in the snapshot below, the Windows Update Log too confirmed that Windows Update had just downloaded and installed a Lenovo driver -

We wondered if there might have been any Lenovo hardware components installed on the Surface so we checked the Device Manager, and we could not find a single device that seemed to indicate the presence of any Lenovo hardware. (Later, we even took it back to the Microsoft Store, and their skilled tech personnel confirmed the same finding i.e. no Lenovo hardware on it.)

Specifically, as you can see below, we again checked the Device Manager, this time to see if it might indicate the presence of any Lenovo HID, such as a Lenovo Optical Mouse, and as you can see in the snapshot below, the only two Mice and other pointing devices installed on the system were from Microsoft - i.e. no Lenovo mouse presence indicated by Device Manager -

Next, we performed a keyword search of the Registry, and came across a suspicious Driver Package, as seen below -

It seemed suspicious to us because as can be seen in the snapshot above, all of the other legitimate driver package keys in the Registry had (as they should) three child sub-keys i.e. Configurations, Descriptors and Strings, but this specific one only had one subkey titled Properties, and when we tried to open it, we received an Access Denied message!

As you can see above, it seemed to indicate that the provider was Lenovo and that the INF file name was phidmou.inf, and the OEM path was "C:\Windows\SoftwareDistribution\Download\Install", so we looked at the file system but this path didn't seem to exist on the file-system. So we performed a simple file-system search "dir /s phidmou.*" and as seen in the snapshot below, we found one instance of such a file, located in C:\Windows\System32\DriverStore\FileRepository\.

Here's that exact location on the file-system, and as evidenced by the Created date and time for that folder, one can see that this folder (and thus all of its contents), were created on April 01, 2018 at around 1:50 am, which is just around the time the Windows Update log too confirmed that it had installed the Lenovo Driver -

When we opened that location, we found thirteen items, including six drivers -

Next, we checked the Digital Signature on one of the drivers, PELMOUSE.SYS, and we found that it was signed using a self-signed test Windows Driver certificate, i.e. the .sys files were SELF-SIGNED by a WDKTestCert and their digital signatures were NOT OK, in that they terminated in a root certificate that is not trusted by the trust provider -

Finally, when we clicked on the View Certificate button, as can be seen below, we could see that this driver was in fact merely signed by a test certificate, which is only supposed to be used for testing purposes during the creation and development of Kernel-mode drivers. Quoting from Microsoft's documentation on Driver Testing "However, eventually it will become necessary to test-sign your driver during its development, and ultimately release-sign your driver before publishing it to users." -

Clearly, the certificate seen above is NOT one that is intended to be used for release signing, yet, here we have a Kernel-mode driver downloaded by Windows Update and installed on a brand new Microsoft surface, and all its signed by is a test certificate, and who knows who wrote this driver!

Again, per Microsoft's guidelines on driver signing, which can also be found here, "After completing test signing and verifying that the driver is ready for release, the driver package has to be release signed", and AFAIK, release signing not only requires the signer to obtain and use a code-signing certificate from a code-signing CA, it also requires a cross cert issued by Microsoft.

If that is indeed the case, then a Kernel-mode driver that is not signed with a valid code-signing certificate, and one whose digital signature does not contain Microsoft's cross cert, should not even be accepted into the Windows Update catalog.

It is thus hard to believe that a Windows Kernel-Mode Driver that is merely self-signed using a test certificate would even make it into the Windows Update catalog, and further it seems that in this case, not only did it make it in, it was downloaded, and in fact successfully installed onto a system, which clearly seems highly suspicious, and is fact alarming and deeply-concerning!

How could this be? How could Windows Update (a trusted system process of the operating system), which we all (have no choice but to) trust (and have to do so blindly and completely) have itself installed an untrusted self-signed Lenovo driver (i.e. code running in Kernel-Mode) on a Microsoft Surface device?

Frankly, since this piece of software was signed using a self-signed test cert, who's to say this was even a real Lenovo driver? It could very well be some malicious code purporting to be a Lenovo driver. Or, there is also the remote possibility that it could be a legitimate Lenovo driver, that is self-signed, but if that is the case, its installation should not have been allowed to succeed.

Unacceptable and Deeply Concerning

To us, this is unacceptable, alarming and deeply concerning, and here's why.

We just had, on a device we consider trustworthy (, and could possibly have engaged in business on,) procured from a vendor we consider trustworthy (considering that the entire world's cyber security ultimately depends on them), an unknown, unsigned piece of software of Chinese origin that is now running in Kernel-mode, installed on the device, by this device's vendor's (i.e. Microsoft's) own product (Windows operating system's) update program!

We have not had an opportunity to analyze this code, but if it is indeed malicious in any way, in effect, it would've, unbeknownst to us and for no fault of ours, granted System-level control over a trusted device within our perimeter, to some entity in China.

How much damage could that have caused? Well, suffice it to say that, for they who know Windows Security well, if this was indeed malicious, it would've been sufficient to potentially compromise any organization within which this potentially suspect and malicious package may have been auto-installed by Windows update. (I've elaborated a bit on this below.)

In the simplest scenario, if a company's Domain Admins had been using this device, it would've been Game Over right there!

This leads me to the next question - we can't help but wonder how many such identical Surface devices exist out there today, perhaps at 1000s of organizations, on which this suspicious unsigned Lenovo driver may have been downloaded and installed?

This also leads me to another very important question - Just how much trust can we, the world, impose in Windows Update?

In our case, it just so happened to be, that we happened to be in front of this device during this Windows update process, and that's how we noticed this, and by the way, after it was done, it gave the familiar Your device is upto date message.

Speaking which, here's another equally important question - For all organizations that are using Windows Surface, and may be using it for mission-critical or sensitive purposes (e.g. AD administration), what is the guarantee that this won't happen again?

I ask because if you understand cyber security, then you know, that it ONLY takes ONE instance of ONE malicious piece of software to be installed on a system, to compromise the security of that system, and if that system was a highly-trusted internal system (e.g. that machine's domain computer account had the "Trusted for Unconstrained Delegation" bit set), then this could very likely also aid perpetrators in ultimately gaining complete command and control of the entire IT infrastructure. As I have already alluded to above, if by chance the target/compromised computer was one that was being used by an Active Directory Privileged User, then, it would be tantamount to Game Over right then and there!

Think about it - this could have happened at any organization, from say the U.S. Government to the British Government, or from say a Goldman Sachs to a Palantir, or say from a stock-exchange to an airline, or say at a clandestine national security agency to say at a nuclear reactor, or even Microsoft itself. In short, for absolutely no fault of theirs, an organization could potentially have been breached by a likely malicious piece of software that the operating system's own update utility had downloaded and installed on the System, and in 99% of situations, because hardly anyone checks what gets installed by Windows Update (now that we have to download and install a whopping 600MB patch every Tuesday), this would likely have gone unnoticed!

Again, to be perfectly clear, I'm not saying that a provably malicious piece of software was in fact downloaded and installed on a Microsoft Surface device by Windows Update. What I'm saying is that a highly suspicious piece of software, one that was built and intended to run in Kernel-mode and yet was merely signed with a test certificate, somehow was automatically downloaded and installed on a Microsoft Surface device, and that to us is deeply concerning, because in essence, if this could happen, then even at organizations that may be spending millions on cyber security, a single such piece of software quietly making its way in through such a trusted channel, could possibly instantly render their entire multi-million dollar cyber security apparatus useless, and jeopardize the security of the entire organization, and this could happen at thousands of organizations worldwide.

With full respect to Microsoft and Mr. Nadella, this is deeply concerning and unacceptable, and I'd like some assurance, as I'm sure would 1000s of other CEOs and CISOs, that this will never happen again, on any Surface device, in any organization.

In our case, this was very important, because had we put that brand new Surface device that we procured from none other than the Microsoft Store, into operation (even it we had re-imaged it with an ultra-secure locked-down internal image), from minute one, post the initial Windows update, we would likely have had a potentially compromised device running within our internal network, and it could perhaps have led to us being breached.

If I Were Microsoft, I'd Send a Plane

Dear Microsoft, we immediately quarantined that Microsoft Surface device, and we have it in our possession.

If I were you, I'd send a plane to get it picked up ASAP, so you can thoroughly investigate every little aspect of this to figure out how this possibly happened, and get to the bottom of it! (Petty process note: The Microsoft Store let us keep the device for a bit longer, but will not let us return the device past June 24, and the only reason we've kept it, is in case you'd want to analyze it.)

Here's why. At the very least, if I were still at Microsoft, and in charge of Cyber Security -
  1. I'd want to know how an untrusted Kernel-mode device driver made it into the Windows Catalog
  2. I'd want to know why a Microsoft Surface device downloaded a purportedly Lenovo driver
  3. I'd want to know how Windows 10 permitted and in fact itself installed an untrusted driver
  4. I'd want to know exactly which SKUs of Microsoft Surface this may have happened on
  5. I'd want to know exactly how many such Microsoft Surface devices out there may have downloaded this package 

Further, and as such, considering that Microsoft Corp itself may easily have thousands of Surface devices being used within Microsoft itself, if I were still with Microsoft CorpSec, I'd certainly want to know how many of their own Surface devices may have automatically downloaded and installed this highly suspicious piece of untrusted self-signed software.

In short, Microsoft, if you care as deeply about cyber security as you say you do, and by that I'm referring to what Mr. Nadella, the CEO of Microsoft, recently said (see video below: 0:40 - 0:44) and I quote "we spend over a billion dollars of R&D each year, in building security into our mainstream products", then you'll want to get to the bottom of this, because other than the Cloud, what else could be a more mainstream product for Microsoft today than, Microsoft Windows and Microsoft Surface ?! -

Also, speaking of Microsoft's ecosystem, it indeed is time to help safeguard Microsoft's global ecosystem. (But I digress,)

In Conclusion

Folks, the only reason I decided to publicly share this is because I care deeply about cyber security, and I believe that this could potentially have impacted the foundational cyber security of any, and potentially, of thousands of organizations worldwide.

Hopefully, as you'll agree, a trusted component (i.e. Windows Update) of an operating system that virtually the whole world will soon be running on (i.e. Windows 10), should not be downloading and installing a piece of software that runs in Kernel-mode, when that piece of software isn't even digitally signed by a valid digital certificate, because if that piece of software happened to be malicious, then in doing so, it could likely, automatically, and for no fault of its users, instantly compromise the cyber security of possibly thousands of organizations worldwide. This is really as simple, as fundamental and as concerning, as that. 

All in all, the Microsoft Surface is an incredible device, and because, like Apple's computers, the entire hardware and software is in control of a single vendor, Microsoft has a huge opportunity to deliver a trustworthy computing device to the world, and we'd love to embrace it. Thus, it is vital for Microsoft to ensure that its other components (e.g. Update) do not let the security of its mainstream products down, because per the Principle of Weakest Link, "a system is only as secure as is its weakest link."

By the way, I happen to be former Microsoft Program Manager for Active Directory Security, and I care deeply for Microsoft.

For those may not know what Active Directory Security is (i.e. most CEOs, a few CISOs, and most employees and citizens,) suffice it to say that global security may depend on Active Directory Security, and thus may be a matter of paramount defenses.

Most respectfully,

PS: Full Disclosure: I had also immediately brought this matter to the attention of the Microsoft Store. They escalated it to Tier-3 support (based out of New Delhi, India), who then asked me to use the Windows Feedback utility to share the relevant evidence with Microsoft, which I immediately and dutifully did, but/and I never heard back from anyone at Microsoft in this regard again.

PS2: Another small request to Microsoft - Dear Microsoft, while at it, could you please also educate your global customer base about the paramount importance of Active Directory Effective Permissions, which is the ONE capability without which not a single object in any Active Directory deployment can be adequately secured! Considering that Active Directory is the foundation of cyber security of over 85% of all organizations worldwide, this is important. Over the last few years, we've had almost 10,000 organizations from 150+ countries knock at our doors, and virtually none of them seem to know this most basic and cardinal fact of Windows Security. I couldn't begin to tell you how shocking it is for us to learn that most Domain Admins and many CISOs out there don't have a clue. Can you imagine just how insecure and vulnerable an organization whose Domain Admins don't even know what Active Directory Effective Permissions are, let alone possessing this paramount capability, could be today?