Windows: 40 drivers vulnerable to escalation of privileges

Researchers analyzing the security of drivers for various Windows devices have found that more than 40 hardware drivers from at least 20 manufacturers can be used by attackers to achieve privilege escalation.

Hardware represents the building blocks of a computer running software. Drivers allow the operating system to recognize hardware components.

Driver programs allow communication between the kernel of the operating system and the hardware, with a higher level of permissions than a regular user and the system administrator.

Therefore, vulnerabilities in drivers are a very serious issue, as they can be used by a user to access the kernel, but also to gain higher privileges in the operating system (OS).

Drivers are also used to update the firmware, so the problem seems to become even more serious.

BIOS and UEFI firmware, for example, is low-level software that starts before the operating system when you turn on your computer. Malicious software embedded in the BIOS or UEFI is invisible to most security applications and cannot be removed even if you reinstall Windows.

Researchers at Eclypsium have discovered more than 40 Windows drivers that could be used by malicious users to gain higher privileges than a typical user, but also to gain access to the Windows kernel.

Affected manufacturers (see list below) include major BIOS vendors and big names in computer hardware such as ASUS, Toshiba, Intel, Gigabyte, Nvidia and Huawei.

According with Eclypsium:

All these vulnerabilities allow the driver to act as a proxy server providing extremely privileged access to hardware resources such as read and write access to the processor and I / O chipset, Model Specific Registers (MSR), Control Registers (CR), Debug Registers (DR), physical memory and kernel virtual memory.

Windows

From the kernel, the attacker can access various firmware and hardware interfaces, gaining substantial system permissions on the victim computer. It may not remain invisible as it is not detected by normal OS-level protection products.

Installing drivers on Windows requires administrator privileges and must come from Microsoft Certified Companies. The installation software code is also signed by valid Certificate Authorities, to prove its authenticity. If there is no trusted signature, Windows warns the user.

However, Eclypsium's research refers to legitimate drivers with valid signatures that are accepted by Windows. These drivers are not designed to be malicious, but they do contain vulnerabilities that could be circumvented by malicious users.

Windows: The risk is not hypothetical

Attacks exploiting vulnerable drivers are not theoretical. They have been detected in cyber hacking by hackers who usually have the "backs" of a large company or a government.

The Slingshot APT team used vulnerable drivers to gain higher privileges on infected computers. The Lojax rootkit from APT28 was a much more insidious attack as you add the malware to the UEFI firmware through a signed driver.

All modern versions of Windows are affected by this problem and there is no mechanism to prevent it.

Below is a list of affected companies:

See the list
American Megatrends International (AMI)
ASRock
ASUSTeK Computer
ATI Technologies (AMD)
Biostar
EVGA
Getac
GIGABYTE
Huawei
Insyde
Intel
Micro-Star International (MSI)
NVIDIA
Phoenix Technologies
Realtek Semiconductor
SuperMicro
Toshiba

iGuRu.gr The Best Technology Site in Greeceggns

Get the best viral stories straight into your inbox!















Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).