Apple is often criticised on how they try to control what happens to their products. But one company has been strictly controlling what happens to its products for much longer: Microsoft. Microsoft keeps very strict control on what gets delivered via its Windows Update Service. I can’t recall serious issues and because of this, people have put a lot of trust in the software that comes via this channel.
As most of what is distributed comes directly Microsoft, they know pretty well what is passed on via Windows Update. But there is an exception with driver updates. Windows Update Services is also being used to push device drivers for 3rd party hardware. In that case Microsoft offers the driver via the Update Catalog. So from an end-user perspective, a newly acquired device is plug-and-play, while under the hood a driver is downloaded and installed. So far, Microsoft did good quality control job here.
Two weeks ago, malware was delivered by means of a driver for the Energizer Duo USB driver. This driver caused a stir almost a year ago when the driver was found to contain a backdoor. Somehow Microsoft has published a driver for this same device, again containing malware according to Eset.
The problem is not just this one event. Taking into consideration the role a rogue device driver played in last year’s game changer for cyberwar (Sorry I need to bring Stuxnet into this), it’s clear we need to rethink the trust we have been putting into things which we thought are a given. Microsoft is not evil, but even Microsoft can’t control everything that happens on their behalf. The same goes for other reputable parties.
So what is the message here? Think twice next time you make a decision based on reputation when dealing with security. In the struggle to give us a comfortable user experience, under the hood computing becomes ever more complex (and the bad guys figured this out long ago). Think holistic and assume a hostile environment.
After some guest postings, Maarten Oosterink is now added to the resident team of authors. As managing consultant on Security, Risk and Compliance and thought leader on Critical Infrastructure Protection, he’ll be posting on topics close to his ‘turf’.