Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:31 AM
Connect Directly

Device Drivers at Risk

New Windows vulnerability reveals what could be the next big target for attackers

Now there's another weak link to worry about: the device driver. The vulnerability in Microsoft's Windows Server Service revealed in yesterday's Patch Tuesday fixes was a chilling preview of the risks associated with today's device drivers. (See The Patch Race Is On.)

The hole in Windows Server Service is one of the first and most high-profile device-driver vulnerabilities to emerge, and it's a topic that's been near and dear for some time to David Maynor, senior security researcher for SecureWorks. Maynor, along with researcher and graduate student Jon Ellch, will give a presentation on device-driver vulnerabilities on August 2 at the Black Hat Conference in Las Vegas.

"In the last year, I've theorized that we will see a lot more of these types of device-driver attacks and this is one example" of the threat, Maynor says. Device-driver code is often written in a patchwork manner, typically by both hardware and software engineers and with no regard to security, he says. Plus there's no certification process for this code, so it can easily be manipulated.

That's what makes device drivers for network cards, printers, wireless access points, video cards, and servers such tempting targets for attackers. "As the operating system hardens, attackers will take the path of least resistance," he says.

Maynor says the goal of his and Ellch's Black Hat presentation will be to dispel the theory that exploiting a device driver is just too complicated for most attackers. Critics say such an attack isn't likely because an attacker would need to know details on the hardware, such as its chipset. But Ellch will demonstrate at Black Hat how attackers can gather that information, using a research tool he developed. "It will show that this [attack] is possible."

Meanwhile, Microsoft's server device driver, a .sys file, is a slightly different animal than the typical hardware device driver for say, a printer or wireless access point, but it's susceptible to the same kinds of attacks, Maynor says.

Device drivers run with the highest operating system privileges, so if an attacker compromises Microsoft's .sys Server Service file or a printer device driver, he or she can modify anything on the system. And the Microsoft hole would be the ideal place to insert a rootkit and hide out, Maynor says. All an attacker would have to do to initially infect a device driver is craft a packet and send it off to the machine, which becomes compromised once it receives the packet.

So far, there have been no exploits targeting Microsoft's server hole, but Maynor says it's a matter of time, especially now that the Microsoft vulnerability has been publicized. "And it's possible there's something out there already that we just haven't seen yet."

But device-driver vulnerability isn't just a Windows problem. It goes hand in hand with every OS, from Linux to Mac OS X. And third-party hardware vendors such as Intel and ATI write their own drivers, so Microsoft has little, if any, control over their security, even with its recent security initiatives. "They aren't subject to the same stringent security Microsoft implements now," Maynor says.

So how can you protect your organization from a device driver attack? Maynor says it's more of a policy issue. "Don't add extraneous equipment you don't need to the network. Every piece of equipment makes it easier for this type of attack."

The researchers will also demonstrate one laptop attacking another over WiFi over an 802.11 device driver at the Black Hat session, as well as a couple other demos they won't reveal at this time.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Microsoft Corp. (Nasdaq: MSFT)
  • SecureWorks Inc.
  • Black Hat Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 5/28/2020
    Stay-at-Home Orders Coincide With Massive DNS Surge
    Robert Lemos, Contributing Writer,  5/27/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: This comment is waiting for review by our moderators.
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-05-29
    There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
    PUBLISHED: 2020-05-29
    A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
    PUBLISHED: 2020-05-29
    All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
    PUBLISHED: 2020-05-29
    All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
    PUBLISHED: 2020-05-29
    All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.