Razer Synapse zero-day enables admin privileges

Threatpost reports that security researcher jonhat has identified a zero-day vulnerability in Razer peripherals' Synapse device installer software that provides full admin rights on Windows 10 to device pluggers. The issue arises from Windows' automated retrieval of an installer with driver software and Synapse utility once users plug in a Razer device, according to jonhat and tests done by BleepingComputer. Installation of the Synapse utility will then enable users to obtain SYSTEM privileges on their device. Razer, which has given jonhat bounty for reporting the bug, is already working on a fix for the vulnerability. Microsoft is also investigating the case. "While this issue requires physical access to a targeted device, we will take any necessary steps to help protect customers," said a Microsoft spokesperson. Meanwhile, CERT Coordination Center vulnerability analyst Will Dormann said that other peripherals may also allow privilege escalation on Windows. "If you combine the facts of "connecting USB automatically loads software" and "software installation happens with privileges", I'll wager that there are other exploitable packages out there," said Dormann.