Microsoft Discovers Backdoor-Like Flaw In Huawei Matebook Driver

Huawei Matebook X Pro. Credit: Tom's HardwareHuawei Matebook X Pro. Credit: Tom's HardwareMicrosoft security researchers discovered a security flaw in Huawei’s device manager driver for the Matebook line of Windows 10 PCs that could undermine low-level kernel protections, not unlike the WannaCry backdoor the NSA developed and then was leaked to the public. The news comes at the heels of Huawei being accused by the U.S. government and other governments of being an espionage arm for the Chinese government. ZDNet first reported the news.

Insecure Huawei Driver

According to Microsoft’s researchers, the security issue was revealed by Windows Defender ATP’s kernel sensors, which allowed the team to trace a security vulnerability back to Huawei’s device management driver. While digging deeper into the issue, the Microsoft researchers realized that the local privilege escalation vulnerability was enabled by Huawei’s flawed and insecure architecture design for one of its driver.

Microsoft claimed that computer manufacturers such as Huawei can build this type of utilities to facilitate device management. However, these tools contain components that have access to the lowest levels of a system, which means that if they don’t have a secure design by default, attackers could use them as backdoors to compromise users’ systems.

Microsoft said that Huawei responded to the vulnerability disclosure with professionalism and that Huawei released a patch for the flaw in January, soon after Microsoft reported the vulnerability.

Responding to WannaCry

Starting in Windows 10, version 1809, Microsoft integrated some software-based sensors into the kernel so that users could be alerted when code injections are initiated by kernel code. These sensors were put there to prevent backdoors such as DOUBLEPULSAR, which the U.S. National Security Agency (NSA) created and then was leaked by the Shadow Brokers group into the wild for any malicious actor to use. The WannaCry ransomware made use of the DOUBLEPULSAR backdoor to inject its main payload into the user space.

Microsoft noted that its Windows Defender ATP security service for enterprise customers was able to detect this type of low-level system vulnerability effectively and then alert the system admins about the flaw so that they can take action. The company believes that the service will be able to detect other such vulnerabilities in the future and alert its customers before malicious parties exploit them to create harm.