The "Universal ADB Driver" for Android devices[1] also installs a root CA, however it instead generates the CA during install, signs the driver, deletes the private key, then installs the CA and driver.

1. https://github.com/koush/UniversalAdbDriver

I am not saddened by this event, but by the fact that such occurrences will only add momentum to the movement to lock down computing devices and take freedom away from their users:

https://news.ycombinator.com/item?id=12061320

Those worrying about security should remember that device drivers already run in ring 0 and can do anything they damn well please.

Thus I say: Good on Savitech for not being afraid to rebel against; and fuckings to the corporatocracy that is certificate authorities and the authoritarian security industry.

Why does Windows allow programs to install root CA certs without separate user intervention (beyond the initial "grant admin permissions" dialog)?

I would honestly be more worried about the root CAs which are enabled by default in the most popular OSes and browsers, with root CA privileges for government of China controlled entities, Turkish government entities and unethical/shoddy root CAs such as Symantec. The Netherlands recently passed a law allowing the government specifically to use false keys and run MITM on crypto, which brings into question all .NL based CAs.

So this is a CFAA violation, right? When will we finally hold someone accountable for blatant security issues like this?

It seems unacceptable to me that the updated drivers do not automatically uninstall the CA. How is an ordinary user meant to navigate the certificate store and delete the CA?

Phrased differently: operating system Microsoft Windows allows silent installation of Root Certificate during installation of unrelated USB driver installation, despite featuring a micro-kernel design.

Can someone explain root certificates to me and why this is an issue? I know they sign certificates with a private key at a high level, but don't get the implications of that generally.

Is there software that will check the certs on my computers to make sure no software has done this?

>Microsoft provides guidance on deleting and managing certificates in the Windows certificate store

Microsoft should mark these as malicious and quarantine them using their built-in AV. If the end user needs them he can remove them from quarantine. Posting advisories no end user will ever see isn't helping much.

The only version of Windows XP that enforces driver signing is the unicorn 64 bit one, surely they didn't develop the driver for that?

And what kind of odds do I get on the certs having a EKU for anything but driver signing?

Why are they allowed to bundle malware in their drivers? Why is this not illegal?

Alright, so if we get tons of install of our root CA cert. Can we start a new CA?

Is there a list of trusted CA certs that we could use to scan to see if we have any that may not be trusted?

Curious as to why EMC got notified 20 days before anyone else...

One more reason to add to the innumerable list of why not to use windows.

This, and all other thousands of cases of malware in the universe should mean something for those who defend "native" apps over webapps.