Endowed with important privileges of access, the computer pilots are unfortunately not always of a high quality. They are therefore a serious Achilles heel for Windows systems.
To interact with the hardware components to which it has access, the Windows operating system relies on an army of small software very practical: drivers or computer drivers. Unfortunately, these programs can also introduce serious security vulnerabilities, as security researchers at Eclypsium have just shown, at the recent DEF CON conference in Las Vegas.
Experts have been interested in this topic following recent attacks such as LoJax or Slingshot APT, where hackers were cleverly leaning on drivers. This is not very surprising, because a driver often has interesting access privileges. By nature, they have access to some memory areas particularly protected from the operating system, such as those of the kernel. Some even allow access and change of firmware, including that of the BIOS. Blessed bread for a hacker who seeks to elevate his access privileges on a system he has just entered, and who wishes to install in a sustainable manner a back door.
Providers recognized and certified by Microsoft
Unfortunately, there are many drivers with security vulnerabilities that can be misused for malicious purposes. In the space of two weeks, researchers from Eclypsium have found more than forty. And right now, they’re still finding it. Just bend down to pick it up. However, all these drivers come from suppliers recognized and certified by Microsoft. Among them are big names such as Intel, Gigabyte, SuperMicro, Nvidia, Phoenix, Huawei, Toshiba, Asustek, MSI, Realtek, etc.
To guard against this potential danger is not simple, because “there is no universal mechanism to avoid the loading of these vulnerable drivers on a Windows machine”, underline the researchers in a note of blog. Professional versions of Windows allow, in some cases, to protect users through the group policies. But it is inevitably laborious.
Patches are available
The ball is in the camp of Microsoft and its partners. Charge them to quickly correct the flaws found and, above all, improve the quality of their pilots in the future. Intel and Huawei have already released patches for pinned drivers. At Phoenix and Insyde, the creation of a patch is underway. But not all are so responsive. MSI and Toshiba, for example, gave no sign of life after being alerted by Eclypsium. Pity. Researchers should publish tools and videos related to their analysis on GitHub in the near future.