Certified Drivers Apparently Unsafe

Eclypsium, an Oregon security company, claims that drivers on Microsoft’s Windows platform are a security mess. Who could have guessed? Their researchers found serious flaws in more than 40 drivers from at least 20 different hardware vendors. Apparently every single one of these vulnerabilities allows the driver to hand over “access to the hardware resources, such as read and write access to processor and chipset I/O space, Model Specific Registers (MSR), Control Registers (CR), Debug Registers (DR), physical memory and kernel virtual memory. This is a privilege escalation as it can move an attacker from user mode (Ring 3) to OS kernel mode (Ring 0).” Basically, complete control of the impacted machine. Not only that, these potentially allow malware to compromise your UEFI and persist across an operating system re-installation. They also add that not only do these drivers provide the necessary access, they also provide the mechanism to make changes. Scary stuff.

What’s perhaps most interesting is that every driver they tested was signed by a Certificate Authority and had Microsoft’s stamp of approval on them. Tie that to the fact that you can no longer block updates on Home versions of Windows 10, and you’ve got one heck of a potentially serious problem. In other words, these impacted problematic drivers are almost certainly going to be installed on possibly millions of PCs. If you were thinking that you can just stick with Windows 7 to be safe from these vulnerabilities, sadly, all modern versions of Windows are impacted. You can block updates on Windows 7, however, that’s likely not a solution since there is a good chance you’re already running problematic drivers. You may also be later to receive a patch for older versions of Windows as the newest version is prioritized.

How Windows Administrators feel about this issue

Which Drivers?

Issues were found in the code from every single major BIOS vendor, meaning your chances of avoiding these flaws are pretty dang low. Not only BIOS’ have issues though, they found problems with the following companies drivers:

  • ASRock
  • ASUSTeK Computer
  • ATI Technologies (AMD)
  • Biostar
  • EVGA
  • Getac
  • GIGABYTE
  • Huawei
  • Insyde
  • Intel
  • Micro-Star International (MSI)
  • NVIDIA
  • Phoenix Technologies
  • Realtek Semiconductor
  • SuperMicro
  • Toshiba

Apple Users Today

This list is not exhaustive, and they say other firms are still under embargo at this point. That’s quite a few companies, and what this author finds concerning is that the UK has for years been saying that Huawei isn’t spying on the UK, instead they just have poorly written insecure code. While I’m not a security expert, this would suggest that these problems exist for more companies than just Huawei, and perhaps we need to re-examine security across the entire ecosystem. These vulnerabilities seem to demonstrate a complete failure of everyone involved in the PC world. Keep an eye out for BIOS/UEFI and driver updates over the next few months as your gear hopefully gets patched.

 

Update: tweaked title to more accurately represent the situation.

 

Sweatshopking

I WRITE ON THE TECH REPORT ABOUT ALL THE IMPORTANT STUFF YOU WANNA READ

avatar
10 Comment threads
17 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
16 Comment authors
ShouefrefXaeusgmatholTarrasikSweatshopking Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Xaeus
Guest

Remember nVidia drivers causing most of the Vista crashes. more than all other software combined ?
Well, I guess now more and more become careless.

gmathol
Guest
gmathol

Well we only use Windows in virtual machines. Runs on Linux, Mac – and you can copy the virtual hard-drives to any platform.

psuedonymous
Guest
psuedonymous

Hang on, are you seriously ragging in Windows Update being able to update drivers? i.e. able to deploy fixed versions of those same drivers that are currently vulnerable (regardless of origin!) without user intervention, which for 99.9% of users will never happen without an enforced automated update system?

John
Guest
John

Yea this is stupid… If anything the Windows auto update is good because it is highly unlikely MS will distribute malware within those drivers especially considering the fact that Microsoft has very good antimalware people working for them as demonstrated by antimalware tests. MS will at least scan all of them before distribution plus they are the only ones who can force updates with new driver versions with fixed vulnerability.

Klimax
Guest

I suggest author read what WHQL and certification is:
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/whql-release-signature

He has a lot of wrong info and misunderstanding in there.

How about complete rewrite of this news post?

John
Guest
John

This is a very misleading title. You should change it to something that has nothing to do with signing or certifying. Here is an example: https://www.techpowerup.com/258175/drivers-from-over-40-manufacturers-including-intel-nvidia-amd-vulnerable-to-privilege-escalation-malware-attacks

tfp
Guest
tfp

Reading the article linked to eclypsium.com literally read as “drivers that allow for updating of firmware or drivers could allow malicious software to access firmware or drivers and the memory they access”. Best defense is to scan your machine and keep it up to date. There is no real mitigation discussed within the Mitigation section. The level of access provided almost sounds like a feature set within a driver or updater… Next thing we know Windows Update will be declared vulnerable because it can change the kernel. Good think their aren’t drivers on OSX. This needs to be followed up… Read more »

Krogoth
Guest
Krogoth

Signed drivers are more for the OEMs/ISVs. They help ensure a more security ecology and theoretically reduce the chance of hidden malware slipping through.

usacomp2k3 (AJ)
Guest
usacomp2k3 (AJ)

Signed just means that the source is authentic, it’s not a guarantee of being bug-free or a quality control. The post title is pretty misleading.

cygnus1
Guest
cygnus1

lol, the apple user image is fantastic

chuckula
Guest
chuckula

As somebody who has actually been a CA, let me tell you: A cryptographic signature on a certificate for a party is in no way equivalent to a guarantee that the party is giving you bug-free software. It just means somebody with access to the CA signing key was happy enough with a third party to sign a certificate. On top of that, with certificate chains the signing party most likely isn’t some internal auditor at Microsoft. Instead, each company gets an intermediate certificate that only really attests to the identity of the company (e.g. this signature shows that Nvidia… Read more »

just brew it!
Guest
just brew it!

Exactly. It’s a certificate of origin, not a certificate of quality.

cygnus1
Guest
cygnus1

Agreed. They definitely put way too much emphasis on these problem drivers just being available through windows update. As if that means MS has done any kind of security analysis on device drivers.

Here’s the appropriate reaction to this news. OEM drivers are insecure, where’s my fainting couch??

Tarrasik
Guest
Tarrasik

So how do Linux drivers compare? Is open source more trustworthy?

Shouefref
Guest
Shouefref

So, that means it’s worthless.

Pin It on Pinterest

Share This