Windows 10 Version 1607 driver signing changes

[Batu69]

Microsoft announced recently that the upcoming version 1607 of Windows 10, known as the Anniversary Update, will only load kernel mode drivers that are digitally signed by Microsoft.

 

The change won't affect all systems however the company notes, as only new installations are affected in the beginning.

Quote

Starting with new installations of Windows 10, version 1607, the previously defined driver signing rules will be enforced by the Operating System, and Windows 10, version 1607 will not load any new kernel mode drivers which are not signed by the Dev Portal.

 

The list of exceptions to the new policy is long. Below is the most important information in regards to the new kernel mode drivers policy:

1. PCs upgraded to WiStarting with new installations of Windows 10, version 1607, the previously defined driver signing rules will be enforced by the Operating System, and Windows 10, version 1607 will not load any new kernel mode drivers which are not signed by the Dev Portal.ndows 10 Build 1607 from a previous version of Windows (for instance Windows 10 version 1511) are not affected by the change.
2. PCs without Secure Boot functionality, or Secure Boot off, are not affected either.
3. All drivers signed with cross-signing certificates that were issued prior to July 29, 2015 will continue to work.
4. Boot drivers won't be blocked to prevent systems from failing to boot. They will be removed by the Program Compatibility Assistant however.
5. The change affects only Windows 10 Version 1607. All previous versions of Windows are not affected.

Microsoft notes that the change is done to make Windows more secure for end-users.

Quote

We’re making these changes to help make Windows more secure. These changes limit the risk of an end-user system being compromised by malicious driver software.

 

While the company states that certain setups won't be affected by the change, it appears that at least some of these exceptions will only be temporary.

As mentioned previously, boot drivers won't be blocked outright according to Microsoft. The company states however that Windows will eventually block boot drivers.

 

Microsoft mentions further that it "starts with" new installations of Windows 10 which suggests that it plans to remove some or even all of the exceptions in the future.

Impact

 

Kernel mode drivers are used by various programs on Windows. The list includes various security and backup programs, or VPN applications to name a few.

Any kernel mode driver not signed by Microsoft won't run anymore on new installations of Windows provided that the exceptions listed above don't apply.

 

This in turn makes the program non-functioning that relies on the driver.

 

While Windows 10 users may be affected by the change, so are developers. Companies may have enough funds to get the required certificates to get their drivers signed by Microsoft, but the same may not be true for hobby programmers or one-man teams.

 

The move will limit malicious kernel mode drivers on the other hand as well.

 

Article source

[Sylence]

One step closer to malware-free OS, good job Microsoft

[bigcid10]

OK,what about self signed drivers?

 

[SPECTRUM]

12 hours ago, bigcid10 said:

OK,what about self signed drivers?

 

 

nothing, this is only about kernel mode drivers, aka friendly rootkits that some AV and others security programs use.

[straycat19]

Microsoft is rolling out a change in minimum hardware requirements for Windows 10 PCs and mobile devices, and expects hardware makers to comply in order to make their devices more secure.

 

Starting Thursday, PC makers should include a hardware-based security feature called TPM (Trusted Platform Module) 2.0 in Windows 10 PCs, smartphones and tablets.

The TPM 2.0 feature will be beneficial for users as it will do a better job of protecting sensitive information on a PC. A TPM 2.0 security layer -- which can be in the form of a chip or firmware -- can safeguard user data by managing and storing cryptographic keys in a trusted container.

 

Microsoft wants to kill passwords with a biometric authentication feature called Windows Hello, in which users can log into a PC via fingerprint, face or iris recognition. A TPM 2.0 chip is important to Windows Hello as it generates and stores the authentication keys in a secure area.

 

TPM 2.0 could also make two-factor authentication via Microsoft Passport -- which could use biometric and pin-based authentication -- a common feature in Windows 10 PCs. The Passport feature could be used to log into websites, applications and other services.

 

Microsoft has said TPM isn't needed for Windows Hello, but recommends the security layer to protect biometric login data. TPM chips can be hard to hack, and do a better job protecting sensitive information than the software-based mechanisms that would otherwise be used to protect Windows Hello login data.

 

TPM definitely provides a security improvement in laptops, and is an excellent protection for encryption keys and other critically important data needed for authentication on the PC, said Kevin Murphy, vice president of operations at security company IOActive.

"Since it is hardware based rather than software based, the keys are not exposed to the PC memory. PC memory is a common venue for attackers to scrape intellectual property resident in the memory, which is usually the main purpose of the attack,"  Murphy said.

However, using the TPM does not protect the encryption keys from being manipulated by an attacker. If an attacker "owns" the machine -- for example by spoofing an authorized user -- the TPM will answer any request as it normally would to the legitimate user.

"It will not know the difference. The advantage in this scenario is that the attack is limited to the current attack and cannot steal the keys for a future attack," Murphy said.

It is possible to break TPM chips, but it would be a difficult attack, likely requiring a tremendous amount of skill, equipment, time, and investment, Murphy said.

Disk encryption system BitLocker already uses TPM to secure encryption keys. TPM is also used for secure software updates, to protect virtual machines and to authenticate smart cards. Intel's vPro remote management service relies on TPM for authentication ahead of remote PC repairs.

 

TPM 2.0 will be a minimum requirement on all Windows 10 devices except for developer boards like Raspberry Pi 3, which runs the lightweight Windows 10 IoT Core.

The security feature isn't new; in fact it's been available for years, mostly in business PCs. Many new PCs already have TPM 2.0, with an exception being low-cost PCs. Some Windows laptops have the older TPM 1.2 standard. But PC makers will now be expected to comply with Microsoft’s new hardware requirements and include TPM 2.0.

HP's Elite X3 Windows 10 smartphone -- based on Qualcomm's latest Snapdragon 820 processor -- already has TPM 2.0. The feature isn't listed in Acer's Liquid Jade Primo or Nokia Lumia models, which have older components.

 

Microsoft has been trying to drive hardware and software changes in PCs, some of which have been controversial. Upcoming PCs based on Intel's Kaby Lake chips -- which could be released in the third quarter -- will support only Windows 10, not prior versions of the OS.

The software company earlier this year said it would support Windows 7 and 8.1 on Skylake devices until July 17, 2017, but extended that for one year after attracting criticism for trying to force an OS upgrade to Windows 10 on users.

 

Microsoft has been working with hardware partners to implement TPM 2.0 across devices, a spokesperson said. TPM 2.0 maximizes security capabilities for Windows Hello, Passport, and helps secure 4K streaming video using DRM, she said.

"In the future, more key features will rely on it," the spokesperson said.

 

TPM 2.0, a specification from Trusted Computing Group, was approved as an international standard by ISO/IEC (the International Organization for Standardization and the International Electrotechnical Commission) in June last year.

 

Article

[Batu69]

Topic merged.