The driver is some kind of AV/Signature detection hook. E.g check every open() for this list of checksums and refuse to open known viruses style system. The 'update' was a borked definition file which triggered a bug in that system.

It's not code execution without signing, and I think probably they do want these files to be updated hands free.

The real problem was the lack of testing, rather than the actual mechanism I think.