As the Black Hat security conference comes to an end in Las Vegas, so the DEF CON hacker convention begins. It didn’t take long for the first critical warnings for Windows users to emerge as a result. This one is particularly worrying as, according to the Eclypsium researchers who gave the presentation, the issue applies “to all modern versions of Microsoft Windows,” which leaves millions of Windows 10 users at risk of system compromise.
What did the researchers reveal?
In a nutshell, the researcher found a common design flaw within the hardware device drivers from multiple vendors including Huawei, Intel, NVIDIA, Realtek Semiconductor, SuperMicro and Toshiba. In total, the number of hardware vendors affected runs to 20 and includes every major BIOS vendor. The nature of the vulnerability has the potential for the widespread compromise of Windows 10 machines.
Eclypsium’s research team were investigating how insecure drivers can be abused to attack a device and gain a foothold on the system it is part of. “Drivers that provide access to system BIOS or system components for the purposes of updating firmware, running diagnostics, or customizing options on the component,” the researchers stated during their presentation, “can allow attackers to turn the very tools used to manage a system into powerful threats that can escalate privileges and persist invisibly on the host.”
The drivers were found to have design flaws that enable what are meant to be “low-privilege” applications to be used by a threat actor in such a way as to potentially compromise parts of the Windows operating system that should only be accessible by “privileged” applications. That includes the Windows kernel at the very heart of the operating system.
Certified for trust
The dangerous escalation of privileges problem, giving an attacker read and write access at the same level as the kernel, becomes more problematical when you realize the level of trust that can be exploited here.
These were not “rogue” drivers, but officially sanctioned ones. They were all from trusted vendors, all signed by trusted certificate authorities and all certified by Microsoft.
As the drivers are designed specifically to update firmware, the seriousness of the issue becomes very apparent, very quickly. The flawed drivers not only provide the mechanism to make these changes but also the privileges to do so. If a threat actor can manipulate this combination of bad coding and signed certification, well, the outcome isn’t going to look pretty.
The researchers stated that there are “multiple examples of attacks in the wild that take advantage of this class of vulnerable drivers.” Examples provided included the Slingshot APT campaign which installs a kernel rootkit and “LoJax malware” that installs malicious code in device firmware that can even survive a full Windows reinstallation.
Has the problem been fixed yet?
Mickey Shkatov, a principal researcher at Eclypsium, told ZDNet that “Some vendors, like Intel and Huawei, have already issued updates.” Others, which are independent BIOS vendors, like Phoenix and Insyde, “are releasing their updates to their customer OEMs,” Shkatov said.
The Eclypsium research reveals that the security issue applies to “all modern versions of Microsoft Windows,” and “there is currently no universal mechanism to keep a Windows machine from loading one of these known bad drivers.” That said, group policies for Windows Enterprise, Pro and Sever could provide a degree of mitigation to “a subset of users,” the researchers stated.
The full list of vendors that have issued updates, which you should install as soon as possible, can be found here.
What has Microsoft said?
A Microsoft statement said, “In order to exploit vulnerable drivers, an attacker would need to have already compromised the computer. To help mitigate this class of issues, Microsoft recommends that customers use Windows Defender Application Control to block known vulnerable software and drivers.” As well as turning on memory integrity for capable devices in Windows Security, Microsoft also recommended using Windows 10 and the Edge browser “for the best protection.”