Many Windows drivers permit malware to access anything, subverting controls that separate user space from the kernel. They even allow hackers to rewrite your PC’s firmware, allowing persistent, untraceable rootkit threats. Windows Third-Party Device Code.
Yes, it’s as bad as it sounds. At DEF CON 27 in Las Vegas, researchers unveiled at least part of this “Screwed Drivers” problem.
So what are Microsoft and the hardware vendors doing about it? And what should PC owners do? In today’s SB Blogwatch, we get cross-threaded.
Your humble blog watcher curated these bloggy bits for your entertainment. Not to mention robbers.
Driver Danger; Firmware Fracas
What’s the craic? Nathaniel Mott’s got, “Report Finds Intel, AMD and Nvidia Vulnerabilities (Among Others)”:
Researchers often give security vulnerabilities catchy names to help them attract more attention. … The researchers at Eclypsium … revealed serious issues with more than 40 drivers on Saturday, it simply titled its report Screwed Drivers. (Catchy.)
…
It found severe vulnerabilities in drivers from “every major BIOS vendor” as well as the likes of Asus, Toshiba, Nvidia, Intel, AMD, and Huawei, which is pretty bad news. But worse still … all of the insecure drivers had been [quality] certified by Microsoft. Windows Third-Party Device Code.
…
The list of affected vendors already reads like a who’s-who of hardware makers. … The security company said that drivers from other vendors were affected [but] they “are still under embargo due to their work in highly regulated environments.”
Yikes. Tom Spring bounces back—“Dozens of insecure drivers from 20 vendors illustrate widespread weaknesses”:
An insecure driver can be just what a hacker needs to get its foot in the door to a Windows environment. … Eclypsium [is] sounding the alarm over what it sees as a dire security problem.
…
Here at DEF CON on Saturday, [they] said they first pinpointed the issue in April. … They then gave offending companies a 90-day window to mitigate the issues.
…
What researchers said makes this problem particularly menacing is the assumption that firms such as Microsoft have their back. [But] Just because a driver is signed and certified does not mean it is safe.
…
“No one is taking ownership of this issue,” [they said.] “All the drivers come from trusted third-party vendors, signed by valid certificate authorities, and certified by Microsoft.”
Who found it? Mickey Shkatov and Jesse Michael—“Common Design Flaw In Dozens of Device Drivers Allows Widespread Windows Compromise”:
Drivers that provide access to system BIOS or system components [are] powerful threats that can escalate privileges and persist invisibly. … The problem of insecure drivers is widespread, affecting … every major BIOS vendor, as well as … 40 drivers from at least 20 different vendors.
…
All these vulnerabilities allow the driver to act as a proxy to perform highly privileged access to the hardware. … It can move an attacker from user mode (Ring 3) to OS kernel mode (Ring 0). … It can also grant access to the hardware and firmware interfaces with even higher privileges … the “negative” firmware rings that lie beneath the operating system.
…
Malware … could scan for a vulnerable driver on the victim machine and then use it to gain full control. [And] malware can bring any of these drivers along with them to perform privilege escalation and gain direct access to the hardware.
…
There is currently no universal mechanism to keep a Windows machine from loading one of these known bad drivers. … Organizations may also want to keep their firmware up to date, scan for vulnerabilities, monitor and test the integrity of their firmware to identify unapproved or unexpected changes. … Organizations should not only continuously scan for outdated firmware, but also update to the latest version of device drivers when fixes become available from device manufacturers. Windows Third-Party Device Code.
Frightening. Bertram Pincus sounds scared:
This is scary stuff. … Between all my machines, like many of you I’d guess, I’m potentially exposed.
…
Good luck. Hope you’re lucky enough to escape any driver manufactures listed.
So it’s Microsoft’s fault? LordWabbit2 scatologically points the finger elsewhere:
A lot of the reporting I am seeing in mainstream media is blaming Windows 10. [We should be] blaming the third party vendors who wrote **** drivers.
And Jim Long agrees:
So when do we reach that critical mass where we finally admit these companies are too committed to “Coding For Dummies”?
Cue: Linux fanbois? Aquinus says he “Wants to care, but used Ubuntu”:
In all seriousness, anything that runs with elevated privileges at any point could theoretically be a vector for attack, even in Linux. The difference is how drivers in Linux are delivered versus on Windows.
Whatever next? Levent goes the extra mile:
So pretty much every component in my system has at least one vulnerability. What is next? PSUs mining bitcoins?
As you might expect, some driver vendors responded to the research better than others. Bitgod channels a vendor that didn’t even bother:
MSI is all, “We’re too busy having our one guy making updated BIOSes for the AMD boards, we don’t have time for this right now. We’ll get back to you next year.”
Meanwhile, toonces33 sounds slightly sarcastic:
Wheee. More updates. Something else to look forward to.
