Microsoft released the update for the month of July for Windows 11 and Windows 10 yesterday, which, in addition to including new functions, also focuses on solving certain security problems that had been detected by the companies Sophos, Cisco and Trend Micro.
These problems are related to the inappropriate use of certificates from the Windows Hardware Developer Program, since it was being used maliciously to introduce malware into computers by taking advantage of the certification they had from the company to sign drivers for hardware products.
According to the research carried out by the aforementioned companies, the total number of controllers that have taken advantage of the Microsoft Certified Developer Program exceeds 130 and different accounts have been used. This practice had been going on since April 2021.
Once the problem has been detected, the solution to prevent Windows computers from being potential victims of these, Microsoft has blocked all identified accounts, most of them come from China and have been included in the Windows Driver revocation list, for so there is no simple way to install them.
This list is automatically updated through Windows Update, so if we want to protect ourselves from this malicious software, all we have to do is install all the updates that we have pending, especially the one that was released yesterday.
Among the drivers affected by this investigation, some have been found with rootkit capabilities to run in the background and were in charge of analyzing the computer’s traffic, both incoming and outgoing from the Internet, and some could only be installed with administrator requirements.
If we want to check if any of these drivers have ended up on our computer, we can check this GitHub page where Sophos has published the hashes of all affected drivers.
The latest Windows Defender update, number 1.391.3822.0, has also been updated to detect these types of drivers and inform the user if any are installed on the computer to remove it and find a solution.
Without digital signature, nothing can be installed
It is likely that on occasion we have come across an application that Windows blocks because it is unable to recognize the developer behind it. This is because with Windows 10 version 1607, Microsoft introduced a new digital signature feature that all developers must get so that their apps can be installed seamlessly on Windows.
In the case of kernel drivers, which are loaded when Windows starts, we have no power over their execution, unlike applications without a certificate. If we have Windows Secure Boot enabled, if the drivers are not signed, the system refuses to load them at startup to prevent the computer from being infected by malware that may be included in them.
