Researchers Find More Than 40 Vulnerable Windows Device Drivers (eclypsium.com) 16
Artem S. Tashkinov writes: Researchers from security company Eclypsium have discovered that more than forty drivers from at least twenty different vendors -- including every major BIOS vendor, as well as hardware vendors like ASUS, Toshiba, NVIDIA, and Huawei -- include critical vulnerabilities allowing an escalation of privileges to full system level access.
Considering how widespread these drivers are, and the fact that they are digitally signed by Microsoft, they allow an attacker to more successfully penetrate target systems and networks, as well as remain hidden. Also while some of these drivers "are designed to update firmware, the driver is providing not only the necessary privileges, but also the mechanism to make changes" which means the attacker can gain a permanent foothold. Eclypsium has already notified Microsoft about the issues and at least NVIDIA has already released fixed drivers.
Considering how widespread these drivers are, and the fact that they are digitally signed by Microsoft, they allow an attacker to more successfully penetrate target systems and networks, as well as remain hidden. Also while some of these drivers "are designed to update firmware, the driver is providing not only the necessary privileges, but also the mechanism to make changes" which means the attacker can gain a permanent foothold. Eclypsium has already notified Microsoft about the issues and at least NVIDIA has already released fixed drivers.
More than 40? (Score:2, Funny)
Re:More than 40? (Score:4, Informative)
No one's counting out 140. Or even 1,040. All we know is that the number is "more than 40." That doesn't exactly say much.
Re:More than 40? (Score:4, Insightful)
This one group *found* new vulnerabilities in 40+ drivers. That's very different to saying that only those 40 drivers have any vulnerabilities.
Personally, I have discovered zero vulnerabilities in any drivers, but I wouldn't conclude from that that all drivers are vulnerability free, because I'm just one guy and I'm not exactly looking for them. From just the summary we don't know how big the group is, how long they looked, or how many total drivers they looked at.
Users will examine the code... (Score:1)
...and provide fixes.
Re: (Score:1)
...and release them for free
NVIDIA (Score:5, Insightful)
Who would have thought... (Score:4, Interesting)
... making drivers and device apps require login in order to function or send spying data back to companies might cause security risks. We really need some laws against privacy invading software in the OS and drivers.
This software as a service bullshit has gotten way out of hand. This idea we don't own what we buy because of bs IP laws bribed into being by large software corporations before the internet was a thing need to go.
Bad Reporting (Score:3)
Wheee... (Score:3)
More updates. Something else to look forward to.
Re: (Score:1)
windows' weak spot (Score:5, Insightful)
is this a surprise to anybody?
windows drivers have always been the weak spot of the windows system, causing many bsod.
if the drivers are already so bad stability wise, why would you think their security design would be any better?
Re: (Score:2)
Serious question - can all drivers become user-mode? Are there some that must be kernel-mode? I would assume that things like video drivers (which are probably the worst offenders) would need to be kernel mode, but can there be a split-driver; where it loads only a basic driver kernel-mode that is stable, secure, and save; and loads the higher-performance driver in user mode?
Re: (Score:2)
Windows Drivers (Score:2)
Designed by the hardware manufacturer to give the best performance possible
Security is not a design requirement, so it does not matter ...