Certified Drivers Apparently Unsafe

Eclypsium, an Oregon security company, claims that drivers on Microsoft’s Windows platform are a security mess. Who could have guessed? Their researchers found serious flaws in more than 40 drivers from at least 20 different hardware vendors. Apparently every single one of these vulnerabilities allows the driver to hand over “access to the hardware resources, such as read and write access to processor and chipset I/O space, Model Specific Registers (MSR), Control Registers (CR), Debug Registers (DR), physical memory and kernel virtual memory. This is a privilege escalation as it can move an attacker from user mode (Ring 3) to OS kernel mode (Ring 0).” Basically, complete control of the impacted machine. Not only that, these potentially allow malware to compromise your UEFI and persist across an operating system re-installation. They also add that not only do these drivers provide the necessary access, they also provide the mechanism to make changes. Scary stuff.

What’s perhaps most interesting is that every driver they tested was signed by a Certificate Authority and had Microsoft’s stamp of approval on them. Tie that to the fact that you can no longer block updates on Home versions of Windows 10, and you’ve got one heck of a potentially serious problem. In other words, these impacted problematic drivers are almost certainly going to be installed on possibly millions of PCs. If you were thinking that you can just stick with Windows 7 to be safe from these vulnerabilities, sadly, all modern versions of Windows are impacted. You can block updates on Windows 7, however, that’s likely not a solution since there is a good chance you’re already running problematic drivers. You may also be later to receive a patch for older versions of Windows as the newest version is prioritized.

How Windows Administrators feel about this issue

Which Drivers?

Issues were found in the code from every single major BIOS vendor, meaning your chances of avoiding these flaws are pretty dang low. Not only BIOS’ have issues though, they found problems with the following companies drivers:

  • ASRock
  • ASUSTeK Computer
  • ATI Technologies (AMD)
  • Biostar
  • EVGA
  • Getac
  • GIGABYTE
  • Huawei
  • Insyde
  • Intel
  • Micro-Star International (MSI)
  • NVIDIA
  • Phoenix Technologies
  • Realtek Semiconductor
  • SuperMicro
  • Toshiba

Apple Users Today

This list is not exhaustive, and they say other firms are still under embargo at this point. That’s quite a few companies, and what this author finds concerning is that the UK has for years been saying that Huawei isn’t spying on the UK, instead they just have poorly written insecure code. While I’m not a security expert, this would suggest that these problems exist for more companies than just Huawei, and perhaps we need to re-examine security across the entire ecosystem. These vulnerabilities seem to demonstrate a complete failure of everyone involved in the PC world. Keep an eye out for BIOS/UEFI and driver updates over the next few months as your gear hopefully gets patched.

 

Update: tweaked title to more accurately represent the situation.

 

0 0 vote
Article Rating
Sweatshopking

I WRITE ON THE TECH REPORT ABOUT ALL THE IMPORTANT STUFF YOU WANNA READ

Subscribe
Notify of
guest
27 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Xaeus
1 year ago

Remember nVidia drivers causing most of the Vista crashes. more than all other software combined ?
Well, I guess now more and more become careless.

gmathol
gmathol
1 year ago

Well we only use Windows in virtual machines. Runs on Linux, Mac – and you can copy the virtual hard-drives to any platform.

psuedonymous
psuedonymous
1 year ago

Hang on, are you seriously ragging in Windows Update being able to update drivers? i.e. able to deploy fixed versions of those same drivers that are currently vulnerable (regardless of origin!) without user intervention, which for 99.9% of users will never happen without an enforced automated update system?

John
John
1 year ago
Reply to  psuedonymous

Yea this is stupid… If anything the Windows auto update is good because it is highly unlikely MS will distribute malware within those drivers especially considering the fact that Microsoft has very good antimalware people working for them as demonstrated by antimalware tests. MS will at least scan all of them before distribution plus they are the only ones who can force updates with new driver versions with fixed vulnerability.

Klimax
1 year ago

I suggest author read what WHQL and certification is:
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/whql-release-signature

He has a lot of wrong info and misunderstanding in there.

How about complete rewrite of this news post?

John
John
1 year ago

This is a very misleading title. You should change it to something that has nothing to do with signing or certifying. Here is an example: https://www.techpowerup.com/258175/drivers-from-over-40-manufacturers-including-intel-nvidia-amd-vulnerable-to-privilege-escalation-malware-attacks

tfp
tfp
1 year ago

Reading the article linked to eclypsium.com literally read as “drivers that allow for updating of firmware or drivers could allow malicious software to access firmware or drivers and the memory they access”. Best defense is to scan your machine and keep it up to date. There is no real mitigation discussed within the Mitigation section. The level of access provided almost sounds like a feature set within a driver or updater… Next thing we know Windows Update will be declared vulnerable because it can change the kernel. Good think their aren’t drivers on OSX. This needs to be followed up… Read more »

Krogoth
Krogoth
1 year ago

Signed drivers are more for the OEMs/ISVs. They help ensure a more security ecology and theoretically reduce the chance of hidden malware slipping through.

usacomp2k3 (AJ)
usacomp2k3 (AJ)
1 year ago

Signed just means that the source is authentic, it’s not a guarantee of being bug-free or a quality control. The post title is pretty misleading.

usacomp2k3 (AJ)
usacomp2k3 (AJ)
1 year ago
Reply to  Sweatshopking

With all due respect, that doesn’t change the sensationalist and disingenuous headline. Microsoft has never claimed them to be anything they’re not. The fact that they are signed/certified just means that they are from a known valid source. Nothing in the article says that they’re not, so Microsoft has 100% fulfilled their commitment.

cygnus1
cygnus1
1 year ago
Reply to  Sweatshopking

Sorry SSK, it’s still not an accurate way to phrase it. All MS is doing is hosting the drivers and allowing Windows to source them Windows Update when that particular hardware is found. Nothing has been certified by Microsoft. Having a certificate signed, does not mean certified. All of these software companies get a signed developer certificate that allows them (Not MS) to sign the drivers. It’s a chain of certificates that eventually leads to MS. But MS in does not directly participate in the development of the drivers nor do they audit them for any kind of fitness, function,… Read more »

jihadjoe
jihadjoe
1 year ago
Reply to  cygnus1

Isn’t WHQL a testing and certification process? WHQL testing + the “Certified for Windows” logo is a lot more than just security certificate from Verisign.

I remember MS even used to charge money to do it.

cygnus1
cygnus1
1 year ago
Reply to  jihadjoe

Didn’t see WHQL get mentioned anywhere, but yes. That program is a certification for hardware. I don’t know that there was any security component to that certification program though.

Shouefref
Shouefref
1 year ago
Reply to  cygnus1

Interesting. But does a certification hold any value in that case? Does it help us? Apperantely not.

cygnus1
cygnus1
1 year ago
Reply to  Sweatshopking

To be more clear, signed is a million times more accurate than certified.

cygnus1
cygnus1
1 year ago

lol, the apple user image is fantastic

chuckula
chuckula
1 year ago

As somebody who has actually been a CA, let me tell you: A cryptographic signature on a certificate for a party is in no way equivalent to a guarantee that the party is giving you bug-free software. It just means somebody with access to the CA signing key was happy enough with a third party to sign a certificate. On top of that, with certificate chains the signing party most likely isn’t some internal auditor at Microsoft. Instead, each company gets an intermediate certificate that only really attests to the identity of the company (e.g. this signature shows that Nvidia… Read more »

just brew it!
just brew it!
1 year ago
Reply to  chuckula

Exactly. It’s a certificate of origin, not a certificate of quality.

cygnus1
cygnus1
1 year ago
Reply to  chuckula

Agreed. They definitely put way too much emphasis on these problem drivers just being available through windows update. As if that means MS has done any kind of security analysis on device drivers.

Here’s the appropriate reaction to this news. OEM drivers are insecure, where’s my fainting couch??

Bejarid
Bejarid
1 year ago
Reply to  Sweatshopking

Sorry, but your sarcasm wasn’t clear for me, in any sentence of this “article”. Even your “Apple user today” is not clear. Sarcasm about Mac OS user thinking they are secure, or real criticism of Windows security? Dunno.

The only thing that appear clear to me is that you don’t understand a thing about OS and Driver security. Maybe a rewrite can erase this, I hope, misconception?

Tarrasik
Tarrasik
1 year ago
Reply to  cygnus1

So how do Linux drivers compare? Is open source more trustworthy?

Shouefref
Shouefref
1 year ago
Reply to  chuckula

So, that means it’s worthless.

27
0
Would love your thoughts, please comment.x
()
x

Pin It on Pinterest

Share This