Certified Drivers Apparently Unsafe

Eclypsium, an Oregon security company, claims that drivers on Microsoft’s Windows platform are a security mess. Who could have guessed? Their researchers found serious flaws in more than 40 drivers from at least 20 different hardware vendors. Apparently every single one of these vulnerabilities allows the driver to hand over “access to the hardware resources, such as read and write access to processor and chipset I/O space, Model Specific Registers (MSR), Control Registers (CR), Debug Registers (DR), physical memory and kernel virtual memory. This is a privilege escalation as it can move an attacker from user mode (Ring 3) to OS kernel mode (Ring 0).” Basically, complete control of the impacted machine. Not only that, these potentially allow malware to compromise your UEFI and persist across an operating system re-installation. They also add that not only do these drivers provide the necessary access, they also provide the mechanism to make changes. Scary stuff.

What’s perhaps most interesting is that every driver they tested was signed by a Certificate Authority and had Microsoft’s stamp of approval on them. Tie that to the fact that you can no longer block updates on Home versions of Windows 10, and you’ve got one heck of a potentially serious problem. In other words, these impacted problematic drivers are almost certainly going to be installed on possibly millions of PCs. If you were thinking that you can just stick with Windows 7 to be safe from these vulnerabilities, sadly, all modern versions of Windows are impacted. You can block updates on Windows 7, however, that’s likely not a solution since there is a good chance you’re already running problematic drivers. You may also be later to receive a patch for older versions of Windows as the newest version is prioritized.

How Windows Administrators feel about this issue

Which Drivers?

Issues were found in the code from every single major BIOS vendor, meaning your chances of avoiding these flaws are pretty dang low. Not only BIOS’ have issues though, they found problems with the following companies drivers:

  • ASRock
  • ASUSTeK Computer
  • ATI Technologies (AMD)
  • Biostar
  • EVGA
  • Getac
  • GIGABYTE
  • Huawei
  • Insyde
  • Intel
  • Micro-Star International (MSI)
  • NVIDIA
  • Phoenix Technologies
  • Realtek Semiconductor
  • SuperMicro
  • Toshiba

Apple Users Today

This list is not exhaustive, and they say other firms are still under embargo at this point. That’s quite a few companies, and what this author finds concerning is that the UK has for years been saying that Huawei isn’t spying on the UK, instead they just have poorly written insecure code. While I’m not a security expert, this would suggest that these problems exist for more companies than just Huawei, and perhaps we need to re-examine security across the entire ecosystem. These vulnerabilities seem to demonstrate a complete failure of everyone involved in the PC world. Keep an eye out for BIOS/UEFI and driver updates over the next few months as your gear hopefully gets patched.

 

Update: tweaked title to more accurately represent the situation.

 

Sweatshopking

I WRITE ON THE TECH REPORT ABOUT ALL THE IMPORTANT STUFF YOU WANNA READ

27 Comments
  1. Remember nVidia drivers causing most of the Vista crashes. more than all other software combined ?
    Well, I guess now more and more become careless.

    Reply
    • gmathol
    • 1 week ago

    Well we only use Windows in virtual machines. Runs on Linux, Mac – and you can copy the virtual hard-drives to any platform.

    Reply
    • psuedonymous
    • 2 weeks ago

    Hang on, are you seriously ragging in Windows Update being able to update drivers? i.e. able to deploy fixed versions of those same drivers that are currently vulnerable (regardless of origin!) without user intervention, which for 99.9% of users will never happen without an enforced automated update system?

    Reply
      • John
      • 2 weeks ago

      Yea this is stupid… If anything the Windows auto update is good because it is highly unlikely MS will distribute malware within those drivers especially considering the fact that Microsoft has very good antimalware people working for them as demonstrated by antimalware tests. MS will at least scan all of them before distribution plus they are the only ones who can force updates with new driver versions with fixed vulnerability.

      Reply
        • Sweatshopking
        • 2 weeks ago

        I don’t think i’m complaining that MS can update drivers, rather I think MS should be confirming that drivers they’re distributing should be secure and they’re not, they’re distributing drivers with critical vulnerabilities.
        I NEVER THOUGHT THE DAY WOULD COME WHEN YOU GUYS WOULD SAY THAT I WAS TOO HARD ON MS.

        Reply
          • Sweatshopking
          • 2 weeks ago

          that being said, i do appreciate the feedback. I’ll endeavor to be clearer going forward.

          Reply
  2. I suggest author read what WHQL and certification is:
    https://docs.microsoft.com/en-us/windows-hardware/drivers/install/whql-release-signature

    He has a lot of wrong info and misunderstanding in there.

    How about complete rewrite of this news post?

    10
    1
    Reply
    • John
    • 2 weeks ago

    This is a very misleading title. You should change it to something that has nothing to do with signing or certifying. Here is an example: https://www.techpowerup.com/258175/drivers-from-over-40-manufacturers-including-intel-nvidia-amd-vulnerable-to-privilege-escalation-malware-attacks

    Reply
    • tfp
    • 2 weeks ago

    Reading the article linked to eclypsium.com literally read as “drivers that allow for updating of firmware or drivers could allow malicious software to access firmware or drivers and the memory they access”. Best defense is to scan your machine and keep it up to date. There is no real mitigation discussed within the Mitigation section.

    The level of access provided almost sounds like a feature set within a driver or updater… Next thing we know Windows Update will be declared vulnerable because it can change the kernel. Good think their aren’t drivers on OSX.

    This needs to be followed up with a 22 companies making insecure drivers and 21 who don’t article.

    Reply
    • Krogoth
    • 2 weeks ago

    Signed drivers are more for the OEMs/ISVs. They help ensure a more security ecology and theoretically reduce the chance of hidden malware slipping through.

    Reply
    • usacomp2k3 (AJ)
    • 2 weeks ago

    Signed just means that the source is authentic, it’s not a guarantee of being bug-free or a quality control. The post title is pretty misleading.

    3
    1
    Reply
      • Sweatshopking
      • 2 weeks ago

      fair enough, i’ll change it to certified.

      1
      3
      Reply
        • usacomp2k3 (AJ)
        • 2 weeks ago

        With all due respect, that doesn’t change the sensationalist and disingenuous headline. Microsoft has never claimed them to be anything they’re not. The fact that they are signed/certified just means that they are from a known valid source. Nothing in the article says that they’re not, so Microsoft has 100% fulfilled their commitment.

        Reply
        • cygnus1
        • 2 weeks ago

        Sorry SSK, it’s still not an accurate way to phrase it. All MS is doing is hosting the drivers and allowing Windows to source them Windows Update when that particular hardware is found.

        Nothing has been certified by Microsoft. Having a certificate signed, does not mean certified. All of these software companies get a signed developer certificate that allows them (Not MS) to sign the drivers. It’s a chain of certificates that eventually leads to MS. But MS in does not directly participate in the development of the drivers nor do they audit them for any kind of fitness, function, or security. The organization releasing the findings is throwing MS under the bus for merely hosting the drivers because that gets them way more attention than just listing all those OEMs.

        5
        2
        Reply
          • jihadjoe
          • 2 weeks ago

          Isn’t WHQL a testing and certification process? WHQL testing + the “Certified for Windows” logo is a lot more than just security certificate from Verisign.

          I remember MS even used to charge money to do it.

          Reply
            • cygnus1
            • 2 weeks ago

            Didn’t see WHQL get mentioned anywhere, but yes. That program is a certification for hardware. I don’t know that there was any security component to that certification program though.

          • Sweatshopking
          • 2 weeks ago

          These guys claim microsoft is “certifying” them and approving them. I’m not sure what’s involved with these specific drivers or whether they’re all WHQL approved or not. Anything MS is hosting, distributing and certifying should be inspected and secure.

          1
          3
          Reply
          • Shouefref
          • 1 week ago

          Interesting. But does a certification hold any value in that case? Does it help us? Apperantely not.

          Reply
        • cygnus1
        • 2 weeks ago

        To be more clear, signed is a million times more accurate than certified.

        Reply
    • cygnus1
    • 2 weeks ago

    lol, the apple user image is fantastic

    Reply
    • chuckula
    • 2 weeks ago

    As somebody who has actually been a CA, let me tell you: A cryptographic signature on a certificate for a party is in no way equivalent to a guarantee that the party is giving you bug-free software. It just means somebody with access to the CA signing key was happy enough with a third party to sign a certificate.

    On top of that, with certificate chains the signing party most likely isn’t some internal auditor at Microsoft. Instead, each company gets an intermediate certificate that only really attests to the identity of the company (e.g. this signature shows that Nvidia really did make this driver and not hackers-r-us) but the contents of the driver can still be crap. Just crap that’s signed by the manufacturer so you known it’s legitimate crap.

    Reply
      • just brew it!
      • 2 weeks ago

      Exactly. It’s a certificate of origin, not a certificate of quality.

      13
      Reply
      • cygnus1
      • 2 weeks ago

      Agreed. They definitely put way too much emphasis on these problem drivers just being available through windows update. As if that means MS has done any kind of security analysis on device drivers.

      Here’s the appropriate reaction to this news. OEM drivers are insecure, where’s my fainting couch??

      Reply
        • Sweatshopking
        • 2 weeks ago

        Yeah. Hopefully my sarcasm was clear enough in the second sentence.

        Reply
          • Bejarid
          • 2 weeks ago

          Sorry, but your sarcasm wasn’t clear for me, in any sentence of this “article”. Even your “Apple user today” is not clear. Sarcasm about Mac OS user thinking they are secure, or real criticism of Windows security? Dunno.

          The only thing that appear clear to me is that you don’t understand a thing about OS and Driver security. Maybe a rewrite can erase this, I hope, misconception?

          Reply
        • Tarrasik
        • 2 weeks ago

        So how do Linux drivers compare? Is open source more trustworthy?

        Reply
      • Shouefref
      • 1 week ago

      So, that means it’s worthless.

      Reply

Leave A Reply

Your email address will not be published. Required fields are marked *

Pin It on Pinterest

Share This