Faulty Driver Coding Exposes Microsoft Windows to Malware Risks | Enterprise Security
By Jack M. Germain
Aug 15, 2019 9:31 AM PT
Numerous driver design flaws by 20 different hardware vendors expose Microsoft Windows users to widespread security compromises that can cause persistent malware attacks.
report titled “Screwed Drivers,” which Eclypsium security researchers presented at DEF CON last weekend, urges Microsoft to support solutions to better protect against this class of vulnerabilities.
Microsoft should blacklist known bad drivers, it recommends.
The insecure drivers problem is widespread, Eclypsium researchers found, with more than 40 drivers from at least 20 different vendors threatening the long-term security of the Windows operating system.
The design flaws exist in drivers from every major BIOS vendor, including hardware vendors Asus, Toshiba, Nvidia and Huawei, according to the report.
The research team discovered the coding issues and their broader impacts while pursuing an ongoing hardware and firmware security study involving how attackers can abuse insecure software drivers in devices.
“Since our area of main focus is hardware and firmware security, we naturally gravitated into looking at Windows firmware update tools,” said Mickey Shkatov, principal researcher at Eclypsium.
“Once we started the process of exploring the drivers these tools used we kept finding more and more of these issues,” he told the E-Commerce Times.
The driver design flaws allow attackers to escalate user privilege so they can access the OS kernel mode. That escalation allows the attacker to use the driver as a proxy to gain highly privileged access to the hardware resources, according to the report. It opens read and write access to processor and chipset I/O space, model specific registers (MSR), control registers (CR), debug registers (DR), physical memory and kernel virtual memory.
“Microsoft has a strong commitment to security and a demonstrated track record of investigating and proactively updating impacted devices as soon as possible. For the best protection, we recommend using Windows 10 and the Microsoft Edge browser,” a Microsoft spokesperson said in comments provided to the E-Commerce Times by company rep Rachel Tougher.
Attackers would first have to compromise a computer in order to exploit vulnerable drivers, according to Microsoft.
However, the driver design flaws may make the situation more severe, Eclypsium’s report suggests. They actually could make it easier to compromise a computer.
For instance, any malware running in the user space could scan for a vulnerable driver on the victim machine. It then could use it as a way to gain full control over the system and potentially the underlying firmware, according to the report.
If a vulnerable driver is not already on a system, administrator privilege would be required to install a vulnerable driver, the researchers concede. Still, drivers that provide access to system BIOS or system components to assist with updating firmware, running diagnostics, or customizing options on the component can allow attackers to use those tools to escalate privileges and persist invisibly on the host.
To help mitigate this vulnerability, Windows users should apply
Windows Defender Application Control to block known vulnerable software and drivers, according to Microsoft.
Customers can further protect themselves by turning on
memory integrity for capable devices, Microsoft also suggested.
Probably Low-to-Moderate Risk
Security firms stimulate sales opportunities based on vulnerabilities. Reports such as the Eclypsium disclosures are sales vehicles, contended Rob Enderle, principal analyst at the Enderle Group, and it is not unusual to see the results overstate the problems.
“In this instance, they are highlighting vulnerable drivers, which could allow someone to escalate privileges and take over a system. Generally, however, the attacker would have to come in through the compromised device, and that means they’d have to have physical access to the system and, with access, there are a lot of things you can do to compromise a PC,” Enderle told the E-Commerce Times.
The possibility of the user getting tricked into installing malware also exists. That would take advantage of this driver vulnerability, but the attacker would need to know the vulnerability was there first to make this work, he noted.
“Given the hostile environment we are in and the fact we have state-level attackers, any vulnerability is a concern,” Enderle cautioned. “However, because the attack vector is convoluted, and an effective attack requires knowledge of the PC, the actual risk is low to moderate.”
It is certainly worth watching and making sure driver updates both address these vulnerabilities and are applied in a timely way, he added.
The driver design flows apply to all modern versions of Microsoft Windows. Currently, no universal mechanism exists to keep a Windows machine from loading one of these known bad drivers, according to the report.
Implementing group policies and other features specific to Windows Pro, Windows Enterprise and Windows Server may offer some protection to a subset of users. Once installed, these drivers can reside on a device for long periods of time unless specifically updated or uninstalled, the researchers said.
Its not just the drivers already installed on a system that can pose a risk. Malware can add drivers to perform privilege escalation and gain direct access to the hardware, the researchers cautioned.
The drivers in question are not rogue or unsanctioned, they pointed out. All the drivers come from trusted third-party vendors, signed by valid Certificate Authorities and certified by Microsoft.
Both Microsoft and the third-party vendors will need to be more vigilant with these types of vulnerabilities going forward, according to the report.
Signing Software Not Always Reliable
Code signing certificates are used to sign applications, drivers and software digitally. The process allows end users to verify the authenticity of the publisher, according to Chris Hickman, chief security officer at
Keyfactor, but there is risk involved in fully trusting signed software.
“Opportunistic cyberattackers can compromise vulnerable certificates and keys across software producers, often planting malware that detonates once a firmware or software update is installed on a user’s system. Therein lies the greatest security risk,” he told the E-Commerce Times.
Eclypsium’s discovery that design flaws in software drivers include numerous hardware makers and software partners drives home the threat businesses and consumer software users face, Hickman said. That attack vector is like this spring’s Asus hack.
“Attackers can exploit code and certificates to plant and deploy malware when businesses run standard — and usually trusted — updates,” he noted.
Code signing is no guarantee that malware can not be introduced into software. Other steps must be taken prior to signing the code, such as code testing and vulnerability scanning, Hickman explained.
Once the code is signed, it will be installed as it was signed, regardless of the contents, so long as the code signing certificate is from trusted source. Hence security and care and control of code signing certificates should be as important to DevOps as the other forms of ensuring legitimate code is produced, he said.
Response and Fixes
All of the impacted vendors were notified more than 90 days before Eclypsium scheduled the vulnerabilities disclosure, according to Shkatov.
Intel and Huawei notified Eclypsium that they publicly released advisories and fixes. Phoenix and Insyde do not directly release fixes to end users, but have released fixes to their OEM customers for eventual distribution to end users.
“We’ve been told of fixes that will be released by two more vendors, but we don’t have a specific timeline yet,” said Shkatov. “Eight vendors acknowledged receipt of our advisory, but we haven’t heard if patches will be released or any timeline for those. Five vendors did not respond at all.”