Eclypsium researchers claim to have discovered a widespread design flaw in Windows device drivers that has the potential to infect “all modern versions of Microsoft Windows.” The flaw could allow hackers to seize control of the Windows kernel – AKA the core of your computer’s operating system. Here’s what you need to know.
Firmware security company Eclypsium has issued a startling warning to Windows 10 users at the Black Hat Security Conference in Las Vegas. It claims to have found a critical vulnerability in more than 40 hardware device drivers from every major BIOS vendor and 20 hardware manufacturers – including big names like Intel and Nvidia.
According to Eclypsium, the flaw leaves Windows machines vulnerable to a hostile takeover by hackers via low-privilege applications gaining access to the OS:
Drivers that provide access to system BIOS or system components for the purposes of updating firmware, running diagnostics, or customizing options on the component can allow attackers to turn the very tools used to manage a system into powerful threats that can escalate privileges and persist invisibly on the host.
A vulnerable driver installed on a machine could allow an application running with user privileges to escalate to kernel privileges and abuse the functionality of the driver. In other words, any malware running in the user space could scan for a vulnerable driver on the victim machine and then use it to gain full control over the system and potentially the underlying firmware.
As Forbes notes, the drivers in question are specifically designed to update firmware and are officially certified by Microsoft – a potentially disastrous combination.
“Access to the kernel can not only give an attacker the most privileged access available to the operating system, it can also grant access to the hardware and firmware interfaces with even higher privileges such as the system BIOS firmware,” Eclypsium warns.
For its part, Microsoft has played down the threat, claiming that a computer would already need to be compromised in order for hackers to exploit vulnerable drivers. However, this is not without precedent; Eclypsium cites the Slingshot APT campaign and LoJax malware as recent examples.
How to protect your Windows PC
According to Microsoft, the best line of defence against this threat is to use Windows Defender Application Control (WDAC). This is an enterprise-level security solution that restricts applications that users are allowed to run and the code that runs in the kernel.
For home users, you should make it your #1 priority to update your hardware device drivers to the most recent version. Here’s the list of affected vendors:
- ASUSTeK Computer
- ATI Technologies (AMD)
- Micro-Star International (MSI)
- Phoenix Technologies
- Realtek Semiconductor
You can find out more about the vulnerability and its potential to cause mischief here.