Researchers have uncovered several security issues in Windows kernel that affect over 40 drivers from 20 different vendors. The vulnerabilities can allow attackers to access a device’s hardware and firmware.
What’s the matter?
A team of two researchers at the DEF CON 27 security conference have shed light on the problems of insecure drivers. All these drivers have been signed by valid Certificate Authorities and certified by Microsoft. According to Mickey Shkatov, Principal Researcher at Eclypsium, the issue applies to all versions of Microsoft Windows.
Shkatov along with Jese Michael explained that they had first identified the issues in April. They then gave the 20 companies a 90-day window to mitigate the issues.
Which are the affected vendors?
The list of vendors affected by the Windows kernel vulnerabilities include:
What is the impact?
According to the researchers, the vulnerabilities can allow an “application running with user privileges to escalate to kernel privileges and abuse the functionality of the driver”. Some of the issues can be exploited to perform highly privileged access to the hardware resources, such as read and write access to processor and chipset I/O space, Model Specific Registers (MSR), Control Registers (CR), Debug Registers (DR), physical memory and kernel virtual memory. Furthermore, attackers can also deploy the malware if the vulnerable driver is running on the system. This can allow attackers to obtain full control over the system and the underlying firmware.
“In other words, any malware running in the user space could scan for a vulnerable driver on the victim machine and then use it to gain full control over the system and potentially the underlying firmware,” said researchers in a blog post.
“These issues apply to all modern versions of Microsoft Windows and there is currently no universal mechanism to keep a Windows machine from loading one of these known bad drivers,” added researchers.
Some vendors like Intel and Huawei have issued updates to address the vulnerabilities. Other independent BIOS vendors like Phoenix and Insyde will soon be releasing updates.
Meanwhile, Microsoft has recommended its customers to use Windows Defender Application Control to block known vulnerable software drivers. It has also suggested customers use Windows 10 and the Edge browser for better protection.