Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:31 AM
Connect Directly

Device Drivers at Risk

New Windows vulnerability reveals what could be the next big target for attackers

Now there's another weak link to worry about: the device driver. The vulnerability in Microsoft's Windows Server Service revealed in yesterday's Patch Tuesday fixes was a chilling preview of the risks associated with today's device drivers. (See The Patch Race Is On.)

The hole in Windows Server Service is one of the first and most high-profile device-driver vulnerabilities to emerge, and it's a topic that's been near and dear for some time to David Maynor, senior security researcher for SecureWorks. Maynor, along with researcher and graduate student Jon Ellch, will give a presentation on device-driver vulnerabilities on August 2 at the Black Hat Conference in Las Vegas.

"In the last year, I've theorized that we will see a lot more of these types of device-driver attacks and this is one example" of the threat, Maynor says. Device-driver code is often written in a patchwork manner, typically by both hardware and software engineers and with no regard to security, he says. Plus there's no certification process for this code, so it can easily be manipulated.

That's what makes device drivers for network cards, printers, wireless access points, video cards, and servers such tempting targets for attackers. "As the operating system hardens, attackers will take the path of least resistance," he says.

Maynor says the goal of his and Ellch's Black Hat presentation will be to dispel the theory that exploiting a device driver is just too complicated for most attackers. Critics say such an attack isn't likely because an attacker would need to know details on the hardware, such as its chipset. But Ellch will demonstrate at Black Hat how attackers can gather that information, using a research tool he developed. "It will show that this [attack] is possible."

Meanwhile, Microsoft's server device driver, a .sys file, is a slightly different animal than the typical hardware device driver for say, a printer or wireless access point, but it's susceptible to the same kinds of attacks, Maynor says.

Device drivers run with the highest operating system privileges, so if an attacker compromises Microsoft's .sys Server Service file or a printer device driver, he or she can modify anything on the system. And the Microsoft hole would be the ideal place to insert a rootkit and hide out, Maynor says. All an attacker would have to do to initially infect a device driver is craft a packet and send it off to the machine, which becomes compromised once it receives the packet.

So far, there have been no exploits targeting Microsoft's server hole, but Maynor says it's a matter of time, especially now that the Microsoft vulnerability has been publicized. "And it's possible there's something out there already that we just haven't seen yet."

But device-driver vulnerability isn't just a Windows problem. It goes hand in hand with every OS, from Linux to Mac OS X. And third-party hardware vendors such as Intel and ATI write their own drivers, so Microsoft has little, if any, control over their security, even with its recent security initiatives. "They aren't subject to the same stringent security Microsoft implements now," Maynor says.

So how can you protect your organization from a device driver attack? Maynor says it's more of a policy issue. "Don't add extraneous equipment you don't need to the network. Every piece of equipment makes it easier for this type of attack."

The researchers will also demonstrate one laptop attacking another over WiFi over an 802.11 device driver at the Black Hat session, as well as a couple other demos they won't reveal at this time.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Microsoft Corp. (Nasdaq: MSFT)
  • SecureWorks Inc.
  • Black Hat Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Sodinokibi Ransomware: Where Attackers' Money Goes
    Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
    Data Privacy Protections for the Most Vulnerable -- Children
    Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
    State of SMB Insecurity by the Numbers
    Ericka Chickowski, Contributing Writer,  10/17/2019
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-10-21
    An issue was discovered in Contactmanager 13.x before, 14.x before, and 15.x before for FreePBX In the Contactmanager class (html\admin\modules\contactmanager\Contactmanager.class.php), an unsanitized group variable coming from the URL is reflected in HTML on...
    PUBLISHED: 2019-10-21
    Trend Micro Anti-Threat Toolkit (ATTK) versions and below have a vulnerability that may allow an attacker to place malicious files in the same directory, potentially leading to arbitrary remote code execution (RCE) when executed.
    PUBLISHED: 2019-10-21
    app/call_centers/cmd.php in the Call Center Queue Module in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated attackers (with at least the permission call_center_queue_add or call_center_queue_edit) to execute any comma...
    PUBLISHED: 2019-10-21
    resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data.
    PUBLISHED: 2019-10-21
    On the RICOH MP 501 printer, HTML Injection and Stored XSS vulnerabilities have been discovered in the area of adding addresses via the entryNameIn and KeyDisplay parameter to /web/entry/en/address/adrsSetUserWizard.cgi.