Microsoft’s out-of-date driver list left Windows PCs open to malware attacks

I can no longer find the thread as this link has spammed Twitter search, but there was some drama earlier in the week about this same issue. Apparently some security researchers were unable to make the feature work and reached out to Microsoft. A Microsoft VP then condescended to their good faith questions and gave a weasel-wordy response that the fix for the feature is in the pipeline. However, if you're not aware of this specific issue, his response reads like the feature is enabled.

I&#x27;m more worried that this is unsurprising to me now rather than it being an issue. The sheer amount of fragmentation, poor engineering, poor commercial decisions and quality issues that surround the Microsoft ecosystem is quite frankly at this point inexcusable.<p>They really need to get themselves together on the Windows front. Actually all fronts. Even Office is a fucking shit show these days and that was the last bastion of common sense on the platform.<p>As a former MS dev dating all the way back to the early 1990s, I don&#x27;t own or work with their platforms as of 2021. My pain threshold isn&#x27;t high enough. I implore the shareholders to kick the entire board out and install some people with good intentions and clue sticks.<p>Until then I will be doing my absolute best to steer everyone I know away from the pain.

Windows 10 has for years automatically loaded a driver for certain Logitech webcams that adds a class driver to all media devices, which can’t be loaded if you have the security turned up. So the result is you can’t load sound drivers anymore, because the class driver which can’t be loaded now is a prerequisite.<p>I sincerely doubt anyone at Microsoft ever tests all those drivers that are shipped with Windows and the automatic driver loading service in Windows Update.

Ars has a good article as well as mentions a script to help<p><a href="https:&#x2F;&#x2F;arstechnica.com&#x2F;information-technology&#x2F;2022&#x2F;10&#x2F;how-a-microsoft-blunder-opened-millions-of-pcs-to-potent-malware-attacks&#x2F;" rel="nofollow">https:&#x2F;&#x2F;arstechnica.com&#x2F;information-technology&#x2F;2022&#x2F;10&#x2F;how-a...</a>

I assume this didn&#x27;t get as high a level of scrutiny because it still fundamentally requires you admin-elevate the running of code from a questionable source. Sure a bad driver might claim it&#x27;s from Dell, but it wasn&#x27;t one you downloaded from dell.com so you probably shouldn&#x27;t be trusting it.<p>Raymond Chen has largely pointed out the position of Microsoft that if you authorize code to run with elevated permissions and it does things it can do with elevated permissions, it&#x27;s not really a security flaw.

A reminder that &quot;support arbitrary hardware&quot; and &quot;secure&quot; is a really, really fucking difficult problem.

Wow. Just wow.