Malware protection designed to prevent another WannaCry highlighted security flaw in Huawei MateBook device manager, claims Microsoft
Security researchers at Microsoft have unearthed what they claim is a security flaw in Huawei’s device manager driver for its MateBook line of high end laptops.
The flaw, they claim, could enable attackers to undermine the security of the Windows Kernel and create processes with superuser privileges.
Microsoft claims that it discovered the flaw via Windows Defender Advanced Threat Protection (ATP) kernel sensors. These sensors were included in Windows version 1809 (October 2018 Update) and helped researchers detect the flaw in Huawei’s device manager.
Microsoft developed the sensors in response to the WannaCry ransomware, which infected more than 200,000 Windows PCs worldwide in May 2017.
According to Microsoft, its developers designed the kernel sensors specifically to detect malware like DoublePulsar, a backdoor implant developed by US National Security Agency (NSA) to run in kernel mode. The code of DoublePulsar was leaked by The Shadow Brokers in 2017 and can therefore be deployed by any malicious actor.
The WannaCry ransomware used the DoublePulsar backdoor to inject its malicious programme into the user space.
Microsoft-designed kernel sensors can sniff malicious code running in the kernel and also detect user-space asynchronous procedure call code being injected from the kernel.
According to Microsoft, Huawei’s PCManager triggered Defender ATP alerts on multiple devices running Windows 10.
ATP alert prompted Microsoft to launch an investigation, which revealed that it was a Huawei-written component that was injecting and running code in a user process.
“We traced the anomalous behaviour to a device management driver developed by Huawei,” Microsoft revealed.
While probing the Huawei flaw, Microsoft also found a second vulnerability, which could be used for local privilege escalation. This flaw enables attackers to read/write to memory after executing malicious code.
According to Huawei, the patches for both flaws have been available since January. The company also advises users to update PCManager to latest version – 22.214.171.124 in China and 126.96.36.199 in other countries.
Microsoft further revealed that Windows 10 users running Windows Defender ATP were already protected against any exploits taking advantage of the security flaw even before Huawei released the patches.
The company also claims that its Windows Defender ATP security service for enterprise customers will be able to discover similar flaws in future and alert customers before attackers exploit them to cause any harm.