Microsoft provides code signing to eliminate software tampering and spoofing, and to prove to users that the software is genuine.
According to reports, however, Microsoft has signed a third-party Windows driver software Netfilter, which includes a tool called rootkit, which takes away the root privileges of a computer after an intrusion and allows it to do whatever it wants.
Security researcher Karsten Hahn, who first discovered this, pointed out that Microsoft Uni bypassed the hardware compatibility program WHCP check, even though the driver was linked to a Chinese malware command & control (C&C) server not long ago. .
It’s unknown why this happened, but Microsoft immediately said they were investigating the issue and improved the signature process or third-party access policy validation. Microsoft also added that it does not believe the issue involves a group of hackers who have obtained hostile support.
The already troubled driver manufacturer (Ningbo Zhuo Zhi Innovation Network Technology) has released a patch containing the affected software, revealing a security hole. Users can apply it via Windows Update, so keeping Windows up to date should not be a problem.
According to Microsoft’s explanation, NetFilter is a game-only software, so it is rarely installed in a corporate environment. In addition, since driver installation requires administrator privileges, it is not a problem unless IT administrators intentionally introduce it in enterprises. However, the fact that a signed driver contains a rootkit is an event that reverses the signature trust. Related information can be found here.