Published in PC Hardware

Buggy Huawei undermined Windows kernel

by on27 March 2019


It has been fixed now

Boffins at Microsoft discovered a buggy Huawei utility that could have given attackers a cheap way to undermine the security of the Windows kernel.

Before anyone says that this is all part of a Chinese socialist plot to spy on Windows machines, Huawei has fixed the bug in January.

Vole found the severe local privilege escalation flaw in the Huawei PCManager driver software for its MateBook line of Windows 10 laptops.

Third-party kernel drivers are becoming more attractive to attackers as a side-door to attacking the kernel without having to overcome its protections using an expensive zero-day kernel exploit in Windows. The flaw in Huawei's software was detected by new kernel sensors that were implemented in the Windows 10 October 2018 Update, aka version 1809.

The kernel sensors are meant to address the difficulty of detecting malicious code running in the kernel and are designed to detect user-space asynchronous procedure call (APC) code injection from the kernel.

Microsoft Defender ATP anti-malware uses these sensors to detect actions caused by kernel code that may inject code into user-mode.

Huawei's PCManager triggered Defender ATP alerts on multiple Windows 10 devices, prompting Microsoft to launch an investigation.

The investigation led the researcher to the executable MateBookService.exe. Due to a flaw in Huawei's 'watchdog' mechanism for HwOs2Ec10x64.sys, an attacker is able to create a malicious instance of MateBookService.exe to gain elevated privileges. The flaw can be used to make code running with low privileges read and write to other processes or to kernel space, leading to a "full machine compromise."

Last modified on 27 March 2019
Rate this item
(0 votes)