Windows 7 - KB932596 breaks unsigned drivers in x64

Asked By Peter Lawton on 15-Aug-07 02:15 AM
Be careful of the KB932596 "update" it stops the "bcdedit -set load options
DDISABLE_INTEGRITY_CHECKS" option working, that a lot of vista x64 users
were using to load unsigned drivers, and the associated MS KB article
doesn't see fit to mention the fact that this is probably the only thing
this ""update" does.

32bit OS users don't have to worry of course as MS never dared to put
outrage that would have happened. I suppose MS figured there were so few
64bit OS users anyway and they were having so many driver issues already one
more thing to put up with wasn't going to make much difference :(

Peter Lawton




dale097 replied on 17-Aug-07 05:53 PM
You are correct.  KB932596 definitely breaks unsigned drivers.  For me, it
killed VMWare Server on Vista X64.  If it killed anything else, I don't know
because I rolled back to a restore point and installed all the new updates
except KB932596.

I hope Microsoft undoes this undocumented feature change disguised as a
critical security patch.  When critical patches are used for marketing
advantage, it wrecks confidence in the entire Windows Update model.


Dale

--
Dale Preston
MCAD C#
MCSE, MCDBA
Peter Lawton replied on 20-Aug-07 04:50 AM
Yes, if this "feature" was at all critical for the users security MS would
have rolled it out to 32bit Vista as well.

I 'm getting the feeling that when MS says Vista has much improved security
what they mean is that they've improved security for all their DRM, at the
expense of functionallity for all their paying customers who definately
don't like it or want it.

Rather ironic that MS has just spent so much time and effort jumping on the
DRM/activation bandwagon just as everyone else, even the record industry, is
finally realising it's counter productive and only succeeds in alianating
all your paying customers.

Peter Lawton
dale097 replied on 20-Aug-07 10:22 AM
And if it were really a security patch it would be described clearly in the
KB article rather than disguised as an update to kernel patching protection.

They didn't fully disable the use of unsigned drivers but they did remove
the ability to persist that setting in boot configuration using the bcdedit
tool.  Now you have to press F8 to get the boot menu and choose Disable
Driver Signature Enforcement.

So that change has nothing at all to do with kernel patching protection but
is simply a feature change disguised as a "critical update".

--
Dale Preston
MCAD C#
MCSE, MCDBA
andrew.harwar replied on 23-Aug-07 06:12 AM
I tried uninstalling the patch, but even after uninstalling, it forces
me to use the F8 option. I checked that the DDISABLE_INTEGRITY_CHECKS
loadoption was set.

Hooray, now I have to buy a new TV tuner card... for no reason.

Does anyone know of a way to recover from this patch?
dale097 replied on 23-Aug-07 01:56 PM
Because there has been no word from Microsoft on this issue, and no patch to
the patch, I am quickly coming to the conclusion that what was earlier just
an assumption is, in fact, a fact:  that this feature change poorly disguised
as a security patch was an intentional ploy by Microsoft to force driver
makers to update and sign their drivers.

Before this change, users could get around unsigned drivers so they probably
did not exert much pressure on the driver creators to update those drivers.

The behavior of this patch is such that users still have a way around the
unsigned drivers but now that work-around becomes a real nuisance.  Could it
be that Microsoft is doing this to shanghai their customers into the fight
against unsigned drivers?

Dale
--
Dale Preston
MCAD C#
MCSE, MCDBA
Ottmar Freudenberger replied on 23-Aug-07 03:15 PM
You may wanna make note of
http://www.microsoft.com/whdc/driver/kernel/64bitpatch_FAQ.mspx and
http://www.microsoft.com/technet/security/advisory/932596.mspx and i.e.
http://www.heise-security.co.uk/news/94424

Bye,
Freudi
Peter Lawton replied on 24-Aug-07 04:32 AM
I think one of the recent Vista "performance" patches also stops the kernel
patch protection workaround.

Despite all the helpful references people are giving to MS documents about
kernel patch protection I can't find any that inform us that any of the
recent updates stop the "bcdedit -set load options
DDISABLE_INTEGRITY_CHECKS" working, when at least two, possibly three of the
recent patches do exactly that.

My suspicion is that stopping "bcdedit -set load options
DDISABLE_INTEGRITY_CHECKS" working is the only thing that KB932596 does, at
least MS has published nothing at all about what it does to say any
different

Also if kernel patch protection is so vital for users security that the
option to disable it has to be removed without warning, then why does MS
think it's only the few users of x64 versions that need this "protection",
who are mostly very technically aware anyway, rather than the multitude of
32bit version users who largely aren't as technically savvy and would
presumeably need the "protection and stability" far more?

Something stinks about this whole thing

Peter Lawton
spearman replied on 07-Sep-07 10:56 PM
what about system restore !  move back before the patch