[zenexer]

I wish that were the case—I also wish it were the case that “senior” meant “competent.” Judging by the number of device drivers I’ve had cause serious problems, especially with consumer gaming hardware (as is the case here), I don’t think it’s safe to make any assumptions about the quality of drivers.

For anyone else reading this who’s feeling smug because they would never buy such a device: you don’t need to; only the attacker needs to. Windows will happily download and install the drivers automatically the first time the device is plugged in.

[vlovich123]

It's also not about seniority or competence. Writing kernel mode drivers is being given the task of juggling running chainsaws with real chains while on a balancing board. "Success" is declared when you're able to do this in a lab without there being an issue, ignoring the fact that in the real world there are dodgeballs being thrown at you. Also, no one I've ever worked with writing them has ever wanted to maintain & improve the quality of the drivers they wrote - they wanted to move on to "interesting" work as quickly as possible. This includes myself. The work isn't interesting, fun & usually not important to the business.

In this case, why does a mouse driver need to live in the kernel in the first place? Microsoft should be improving the HID layer to make that unnecessary.

[arghwhat]

They don't even need to buy the device, they just need something presenting that PID/VID.

Foe a $2 example, see: https://github.com/chris408/digispark-usbkey-board (PID/VID set here: https://github.com/chris408/digispark-usbkey-board/blob/6f0a...). And yes, it can be much, much smaller than this.