Jump to content

Security flaws found in many major kernel drivers


sincity

Recommended Posts

At this year's DefCon security conference, security researchers from Eclypsium revealed in a presentation that they have discovered common design flaws in over 40 kernel drivers from 20 different hardware vendors.

The design flaws found in the drivers could allow low-privileged applications to use legitimate driver functions to execute malicious actions within the most sensitive areas of Microsoft's Windows including the Windows kernel.

Principal Researcher at Eclypsium, Mickey Shkatov provided more details on the firm's discovery in an email to ZDNet, saying:

"There are a number of hardware resources that are normally only accessible by privileged software such as the Windows kernel and need to be protected from malicious read/write from userspace applications. The design flaw surfaces when signed drivers provide functionality which can be misused by userspace applications to perform arbitrary read/write of these sensitive resources without any restriction or checks from Microsoft." 

According to Shkatov, bad coding practices that don't take security into account are responsible for the flaws. Instead of making a driver only perform specific tasks, hardware vendors often write their code to be more flexible which in turn puts the security of systems using the drivers at risk.

Driver security flaws

Eclypsium has notified all of the hardware vendors whose drivers allow userspace apps to run kernel code and so far the list of affected companies includes American Megatrends International (AMI), ASRock, ASUSTeK Computer, AMD, Biostar, EVGA, Getac, GIGABYTE, Huawei, Insyde, Intel MSI, NVIDIA, Phoenix Technologies, Realtek Semiconductor, SuperMicro and Toshiba.

Shkatov points out that some vendors such as Intel and Huawei have already issued updates while independent BIOS vendors like Phoenix and Insyde are releasing updates to their customer OEMs. However, Eclypsium has not yet named all of the impacted vendors as some need extra time to address the issue.

Microsoft offered further clarity on the matter in a statement, saying:

"In order to exploit vulnerable drivers, an attacker would need to have already compromised the computer. To help mitigate this class of issues, Microsoft recommends that customers use Windows Defender Application Control to block known vulnerable software and drivers. Customers can further protect themselves by turning on memory integrity for capable devices in Windows Security. Microsoft works diligently with industry partners to address to privately disclose vulnerabilities and work together to help protect customers." 

For those interested in learning more, Eclypsium has published all of the details about its findings in a blog post on its site.

Via ZDNet

http://feeds.feedburner.com/~r/techradar/digital-home/~4/fjAjO9u0phQ
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...