DEF CON Too many trusted Windows 10 peripheral drivers, signed off by Microsoft and running with powerful kernel-level privileges, are riddled with exploitable security vulnerabilities, according to infosec biz Eclypsium.
During a talk [PDF] at this year's DEF CON hacking shindig in Las Vegas, Eclypsium's Jesse Michael and Mickey Shkatov warned that the driver software, which is developed by major vendors to ensure their devices work with Windows 10 systems, can be compromised by malware or rogue logged-in users to elevate their privileges and gain total control over otherwise fully patched computers.
The crux of the issue is that the drivers, which support gear from graphics cards to hard drives, run at the same level as the operating system's kernel, which grants them pretty much free access to the underlying hardware and motherboard firmware. If a miscreant manages to exploit an escalation-of-privilege or information-disclosure hole in one of these drivers, they will gain the same level of control over the box. When that happens, it's pretty much game over.
And it turns out dozens of these drivers, which are cryptographically signed by Microsoft so that Windows 10 trusts them, have exploitable flaws.
"Our analysis found that the problem of insecure drivers is widespread, affecting more than 40 drivers from at least 20 different vendors – including every major BIOS vendor, as well as hardware vendors like ASUS, Toshiba, Nvidia, and Huawei," said Team Eclypsium in a memo accompanying its conference presentation.
"However, the widespread nature of these vulnerabilities highlights a more fundamental issue – all the vulnerable drivers we discovered have been certified by Microsoft."
In practice, this means malware already on a machine could gain enough control to evade antivirus detection, snoop on users or steal data undetected, and cause other mischief.
Below is a list of hardware makers who, we're told, have patched their drivers. If you use their kit with Windows 10, run Windows Update to get the new driver builds or otherwise check you're using the latest driver software to ensure you have the necessary security fixes in place:
ASRock; ASUSTeK Computer; ATI Technologies (AMD); Biostar; EVGA; Getac; GIGABYTE; Huawei; Insyde; Intel; Micro-Star International (MSI); NVIDIA; Phoenix Technologies; Realtek Semiconductor; SuperMicro; and Toshiba.
As Microsoft was quick to note in a statement to El Reg on the matter, this isn't a remote-code execution scenario: to abuse the drivers, you already need to be running code on a target machine. According to the Redmond giant, if you keep antivirus tools, drivers, operating system software, and applications up to date, and refrain from opening downloads, programs, and email attachments from untrusted sources, and stay away from bad websites, you'll hopefully prevent malware from getting a foothold on your computer.
Ultimately, the Eclypsium crew points out, even though the driver code is signed by Microsoft, the onus to secure drivers falls on the vendors themselves, and there is only so much the Windows goliath and administrators can do themselves to secure machines from driver exploits.
"Organizations should not only continuously scan for outdated firmware, but also update to the latest version of device drivers when fixes become available from device manufacturers," the Eclypsium team noted. "Organizations may also want to keep their firmware up to date, scan for vulnerabilities, monitor and test the integrity of their firmware to identify unapproved or unexpected changes." ®