In September 2015, Dell was alerted to a change in code signing requirements Microsoft has implemented on Windows 10 Threshold 2 (TH2) version 1511 (Windows 10 November 2015 update). Effective January 1, 2016, Microsoft requires all driver files to be signed with the new SHA-256 certificate.
If a customer attempts to install a driver dated January 1, 2016 that doesn't have the SHA-256 certificate, they will encounter an error that indicates the signature of the chipset driver is corrupt or invalid. Dell Engineering has discovered that a limited set of drivers were published after January 1, 2016 without the SHA-256 certificate. Dell is working to quickly validate that all January 1, 2016 and newer drivers on the Dell Support Website (Dell.Com/Support) are correctly certified with the SHA-256 certificate to prevent this error.
All Dell drivers were updated to the SHA-256 certificate shortly after the beginning of 2016. If you should encounter this issue with a Dell driver, ensure that you have downloaded the most recent version of the driver.
If you encounter a situation where the CURRENT driver presents this issue, download the previous revision of the driver (if one is available), these should be compliant with the previous certificate. To check for previous versions of a driver, open the download page of the current driver and scroll down the page. If there is a listing for "Other Versions", then there is a previous version available for download. (Figures 1 & 2)
Figure 1 - Other Versions Drop Down
Figure 2. - Drop down list of previous driver versions that are available.
Q: What systems are impacted?
A: All customers whose systems have Windows 10 are potentially impacted if they downloaded drivers that do not meet code signing requirements laid out by Microsoft.
Q: What are the new code signing requirements meant to protect against?
A: This is hardening against malicious software attempting to compromise or assume the identity of a certificate. This new code signing certificate is adding protection against a theoretical vulnerability.
Q: How is the user affected if they have drivers that do not meet the new code signing requirements?
A: The user will get an error that the cert is corrupt or expired.
Q: Can the vulnerability MSFT is trying to protect against be used for a phishing attack?
A: No, the nature of the attack is not phishing-related. It is protecting against software trying assume a certificates identity of trust.
Q: How many vendors are impacted?
A: This issue is industry-wide for PCs running Windows 10. Customers should verify their status with the vendor they purchased their system from or downloaded their drivers from.
Q: Is there a way to identify if one of my drivers is affected?
A: If a customer attempts to install a driver dated January 1, 2016 that doesn't have the SHA-256 certificate, they will encounter and error that indicates the signature of the chipset driver is corrupt or invalid.
Q: How does Dell learn about security vulnerabilities in its programs and products?
A: Dell has a robust product development and testing cycle that we are always improving and when we detect issues we work quickly to resolve them. In addition, we foster an open relationship with our customers and those in the security community so we can help protect our customers.
Q: Is this related to eDellRoot and DSDTestProvider vulnerabilities?
A: No, this issue is not related to the eDellRoot and DSDTestProvider certificate vulnerabilities identified in 2015.
Acknowledgments
Dell would like to thank Microsoft whose efforts help us protect customers through coordinated vulnerability disclosure and resolution.