More than 40 Microsoft-certified software drivers from 20 high-profile vendors have been found to contain vulnerabilities that can be exploited by an attacker, a new report revealed.
Researchers at Eclypsium said the drivers were found on a variety of devices, including products from Toshiba, ASUS, NVIDIA, and Intel and has led Eclypsium to ask Microsoft to better protect against this class of vulnerabilities by taking steps like blacklisting known bad drivers. But what was top of mind to Eclypsium’s researchers is the fact all the drivers, which came from third parties, had Microsoft-certified certificate authorities.
“It is of particular concern that the drivers in question were not rogue or unsanctioned – in fact, just the opposite. Both Microsoft and the third-party vendors will need to be more vigilant with these types of vulnerabilities going forward,” the report stated.
Eclypsium made these vulnerabilities public last week during Def Con.
In all cases the vulnerability allow the driver to act as a proxy giving privileged access to the devices that includes hardware resources, such as read and write access to processor and chipset I/O space, Model Specific Registers (MSR), Control Registers (CR), Debug Registers (DR), physical memory and kernel virtual memory.
“A vulnerable driver installed on a machine could allow an application running with user privileges to escalate to kernel privileges and abuse the functionality of the driver. In other words, any malware running in the user space could scan for a vulnerable driver on the victim machine and then use it to gain full control over the system and potentially the underlying firmware,” the report stated.
Adding to the problem is the very drivers and tools used to keep a device safe are themselves vulnerable. This requires organizations to continuously scan for outdated firmware, but and ensure it is updated to the latest version.