Researchers Find Over 40 Windows Security Flaws In Drivers From AMD, NVIDIA, Intel And Others

Researchers recently uncovered Windows kernel security flaws that affect over 40 drivers from 20 different vendors. The vulnerabilities could give attackers access to a device's hardware and firmware. Researchers from Eclypsium shared their troubling findings this past week at the DEF CON 27 security conference in Las Vegas, Nevada.

Why are there so many vulnerable drivers? According to Mickey Shkatov, Principal Researcher at Eclypsium, bad coding practices are to blame. Many drivers are meant to be flexible and able to perform a wide variety of actions instead of performing specific tasks. Shkatov noted, “It's easier to develop software by structuring drivers and applications this way, but it opens the system up for exploitation.”
Windows laptop with driver security flaws

In general users, and even Administrators, only have access to user privileges or Ring 3 (see image below). The vulnerable drivers could grant attackers highly privileged access to OS kernel mode or Ring 0. These attackers could potentially damage or disable hardware and firmware. The drivers remain on the device open to attack unless they are specifically updated or uninstalled. Malware could therefore search for these unsecure drivers and then exploit them if present. Drivers from AMD, NVIDIA, Intel, and others could all be subject to attack. 

To top it all off, all of these vulnerable drivers were signed by valid Certificate Authorities and certified by Microsoft. According to Eclypsium, “These issues apply to all modern versions of Microsoft Windows”. Vendors will also need to issue their own individual updates to resolve the security issue. There is no one solution to this driver problem, unfortunately.

eclypsium kernel rings
Image credit: 

It is unclear how such a security flaw was able to go undetected by reputable vendors and Microsoft. Many vendors have already released updates or plan to do so in the near future. Eclypsium also noted that they have not named every affected vendor so that they may give them more time to release updates. At the moment, Microsoft recommends “that customers use Windows Defender Application Control to block known vulnerable software and drivers. Customers can further protect themselves by turning on memory integrity for capable devices in Windows Security.” And of course, update your primary system drivers early and often, as major OEMs roll out updates. 

Meanwhile, a teen hacker also shared at DEF CON 27 that vulnerabilities in two education software programs that could have affected over five million students. The vulnerabilities could have exposes student information such as birth cities, bus routes, numbers of suspension, special education status, and details about reduced or free lunches. The security flaws have since been fixed, but the issue has brought up questions about education data security. Security issues typically heat up around the DEF CON time frame and this year is certainly no exception.