Critical Windows 10 Warning: Millions Of Users At Risk

[Karlston]

Critical Windows 10 Warning: Millions Of Users At Risk

 

Millions of Windows 10 users at risk of compromise as critical vulnerability is revealed at DEF CON 27 Getty

As the Black Hat security conference comes to an end in Las Vegas, so the DEF CON hacker convention begins. It didn't take long for the first critical warnings for Windows users to emerge as a result. This one is particularly worrying as, according to the Eclypsium researchers who gave the presentation, the issue applies "to all modern versions of Microsoft Windows," which leaves millions of Windows 10 users at risk of system compromise.

What did the researchers reveal?

In a nutshell, the researcher found a common design flaw within the hardware device drivers from multiple vendors including Huawei, Intel, NVIDIA, Realtek Semiconductor, SuperMicro and Toshiba. In total, the number of hardware vendors affected runs to 20 and includes every major BIOS vendor. The nature of the vulnerability has the potential for the widespread compromise of Windows 10 machines.

 

Eclypsium’s research team were investigating how insecure drivers can be abused to attack a device and gain a foothold on the system it is part of. "Drivers that provide access to system BIOS or system components for the purposes of updating firmware, running diagnostics, or customizing options on the component," the researchers stated during their presentation, "can allow attackers to turn the very tools used to manage a system into powerful threats that can escalate privileges and persist invisibly on the host."

 

The drivers were found to have design flaws that enable what are meant to be "low-privilege" applications to be used by a threat actor in such a way as to potentially compromise parts of the Windows operating system that should only be accessible by "privileged" applications. That includes the Windows kernel at the very heart of the operating system.

Certified for trust

The dangerous escalation of privileges problem, giving an attacker read and write access at the same level as the kernel, becomes more problematical when you realize the level of trust that can be exploited here.

 

These were not "rogue" drivers, but officially sanctioned ones. They were all from trusted vendors, all signed by trusted certificate authorities and all certified by Microsoft.

 

As the drivers are designed specifically to update firmware, the seriousness of the issue becomes very apparent, very quickly. The flawed drivers not only provide the mechanism to make these changes but also the privileges to do so. If a threat actor can manipulate this combination of bad coding and signed certification, well, the outcome isn't going to look pretty.

 

The researchers stated that there are "multiple examples of attacks in the wild that take advantage of this class of vulnerable drivers." Examples provided included the Slingshot APT campaign which installs a kernel rootkit and "LoJax malware" that installs malicious code in device firmware that can even survive a full Windows reinstallation.

Has the problem been fixed yet?

Mickey Shkatov, a principal researcher at Eclypsium, told ZDNet that "Some vendors, like Intel and Huawei, have already issued updates." Others, which are independent BIOS vendors, like Phoenix and Insyde, "are releasing their updates to their customer OEMs," Shkatov said.

 

The Eclypsium research reveals that the security issue applies to "all modern versions of Microsoft Windows," and "there is currently no universal mechanism to keep a Windows machine from loading one of these known bad drivers." That said, group policies for Windows Enterprise, Pro and Sever could provide a degree of mitigation to "a subset of users," the researchers stated.

 

The full list of vendors that have issued updates, which you should install as soon as possible, can be found here.

What has Microsoft said?

A Microsoft statement said, "In order to exploit vulnerable drivers, an attacker would need to have already compromised the computer. To help mitigate this class of issues, Microsoft recommends that customers use Windows Defender Application Control to block known vulnerable software and drivers." As well as turning on memory integrity for capable devices in Windows Security, Microsoft also recommended using Windows 10 and the Edge browser "for the best protection."

 

 

 

Source: Critical Windows 10 Warning: Millions Of Users At Risk (Forbes)

[steven36]

9 hours ago, Karlston said:

What has Microsoft said?

A Microsoft statement said, "In order to exploit vulnerable drivers, an attacker would need to have already compromised the computer. To help mitigate this class of issues, Microsoft recommends that customers use Windows Defender Application Control to block known vulnerable software and drivers." As well as turning on memory integrity for capable devices in Windows Security, Microsoft also recommended using Windows 10 and the Edge browser "for the best protection."

From PDF  above from DEFCON

Quote

• AV industry
• What good is an AV when you can bypass it, and how can the AV help stop this lunacy.

 

And antivirus can't detect all malware  and they is even some that can disable  Windows defender in the wild , Trickbot malware .

Many boxes were the vendors not updated the drivers in years and  Microsoft has them on windows  updates like on my Gateway AMD Radeon  Box not had new driver updates since 2015 Windows 10 TH2  I just use Linux on it and get driver updates still (witch on the list) .  This is one of the things I don't like about using old hardware with  any version of Windows is the drivers were a security  risk as I  said before , now vendors dropping support on hardware is haunting Windows it bad enough they all Proprietary drivers.in windows  and the  generic want work for things like hardware acceleration .Time for Microsoft to look at making fully compatible  generic drivers like linux have open source ones .   

[steven36]

Screwed Drivers – Signed, Sealed, Delivered

 

 

 

 

Introduction

Common Design Flaw In Dozens of Device Drivers Allows Widespread Windows Compromise

 

As part of Eclypsium’s ongoing hardware and firmware security research, we have become increasingly interested in the area of insecure drivers and how they can be abused in an attack against a device. Drivers that provide access to system BIOS or system components for the purposes of updating firmware, running diagnostics, or customizing options on the component can allow attackers to turn the very tools used to manage a system into powerful threats that can escalate privileges and persist invisibly on the host.

 

Recent research and attacks in the wild have made it clear that this area warrants additional scrutiny. For example, other research has revealed vulnerabilities in individual hardware vendor drivers (e.g. ASUS, ASRock, GIGABYTE) that allowed applications with user privileges to read and write with the privileges of kernel. This is obviously a serious escalation of privileges, and we wanted to know if these sorts of vulnerabilities were isolated incidents or examples of a more widespread problem. Secondly, there are multiple examples of attacks in the wild that take advantage of this class of vulnerable drivers. For example, the Slingshot APT campaign installs a kernel rootkit by exploiting drivers with read/write MSR capabilities in order to bypass driver signing enforcement. And the recent LoJax malware abused similar driver functionality to install malicious implants within the firmware of a victim device and persist even across a complete reinstallation of the operating system.

 

Our analysis found that the problem of insecure drivers is widespread, affecting more than 40 drivers from at least 20 different vendors – including every major BIOS vendor, as well as hardware vendors like ASUS, Toshiba, NVIDIA, and Huawei. However, the widespread nature of these vulnerabilities highlights a more fundamental issue – all the vulnerable drivers we discovered have been certified by Microsoft. Since the presence of a vulnerable driver on a device can provide a user (or attacker) with improperly elevated privileges, we have engaged Microsoft to support solutions to better protect against this class of vulnerabilities, such as blacklisting known bad drivers.

 

 

Overview and Impact of the Vulnerabilities

All these vulnerabilities allow the driver to act as a proxy to perform highly privileged access to the hardware resources, such as read and write access to processor and chipset I/O space,

 

Model Specific Registers (MSR), Control Registers (CR), Debug Registers (DR), physical memory and kernel virtual memory. This is a privilege escalation as it can move an attacker from user mode (Ring 3) to OS kernel mode (Ring 0). The concept of protection rings is summarized in the image below, where each inward ring is granted progressively more privilege. It is important to note that even Administrators operate at Ring 3 (and no deeper), alongside other users. Access to the kernel can not only give an attacker the most privileged access available to the operating system, it can also grant access to the hardware and firmware interfaces with even higher privileges such as the system BIOS firmware.

 

 

 

How Vulnerabilities Can Be Used In an Attack

A vulnerable driver installed on a machine could allow an application running with user privileges to escalate to kernel privileges and abuse the functionality of the driver. In other words, any malware running in the user space could scan for a vulnerable driver on the victim machine and then use it to gain full control over the system and potentially the underlying firmware. However, if a vulnerable driver is not already on a system, administrator privilege would be required to install a vulnerable driver.

 

As mentioned earlier, a vulnerable driver could also give an attacker access to the “negative” firmware rings that lie beneath the operating system. As seen with the LoJax malware, this allows malware to attack vulnerable system firmware (e.g. UEFI) to maintain persistence on the device, even if the operating system is completely reinstalled. The problem extends to device

 

components, in addition to the system firmware. Some vulnerable drivers interact with graphics cards, network adapters, hard drives, and other devices. Persistent malware inside these devices could read, write, or redirect data stored, displayed or sent over the network. Likewise, any of the components could be disabled as part of a DoS or ransomware attack.

Since many of the drivers themselves are designed to update firmware, the driver is providing not only the necessary privileges, but also the mechanism to make changes.

Signed and Certified Does Not Mean Safe

It is of particular concern that the drivers in question were not rogue or unsanctioned – in fact, just the opposite. All the drivers come from trusted third-party vendors, signed by valid Certificate Authorities, and certified by Microsoft. Both Microsoft and the third-party vendors will need to be more vigilant with these types of vulnerabilities going forward.

 

These issues apply to all modern versions of Microsoft Windows and there is currently no universal mechanism to keep a Windows machine from loading one of these known bad drivers. Implementing group policies and other features specific to Windows Pro, Windows Enterprise and Windows Server may offer some protection to a subset of users. Once installed, these drivers can reside on a device for long periods of time unless specifically updated or uninstalled. In addition to the drivers which are already installed on the system, malware can bring any of these drivers along with them to perform privilege escalation and gain direct access to the hardware.

 

 

Impacts and Mitigation

The presence of vulnerable drivers can make it increasingly challenging to secure the firmware attack surface. Vulnerable or outdated system and component firmware is a common problem and a high value target for attackers, who can use it to launch other attacks, completely brick systems, or remain on a device for years gathering data, even after the device is wiped. To make matters worse, in this case, the very drivers and tools that would be used to update the firmware are themselves vulnerable and provide a potential avenue for attack. As a result, organizations should not only continuously scan for outdated firmware, but also update to the latest version of device drivers when fixes become available from device manufacturers.

 

Organizations may also want to keep their firmware up to date, scan for vulnerabilities, monitor and test the integrity of their firmware to identify unapproved or unexpected changes.

List of Affected Vendors

• ASRock
• ASUSTeK Computer
• ATI Technologies (AMD)
• Biostar
• EVGA
• Getac
• GIGABYTE
• Huawei
• Insyde
• Intel
• Micro-Star International (MSI)
• NVIDIA
• Phoenix Technologies
• Realtek Semiconductor
• SuperMicro
• Toshiba

Some affected vendors are still under embargo due to their work in highly regulated environments and will take longer to have a fix certified and ready to deploy to customers.

You can read the DEF CON presentation here.

 

Source

[stylemessiah]

Meh anyone else lost count of the number clickbait "Critical Flaw" warnings over the years?

 

Anyone want to guess how many have gone on to be more than the usual "look what we did in a closed enviroment/lab we fully control" enviroment?

 

Almost fricking zero

 

Quote

However, if a vulnerable driver is not already on a system, administrator privilege would be required to install a vulnerable driver.

 

So you still have to be a numpty for it to work, just like every other exploit in history, why is it marked critical, it should be marked "Normal"

 

As i always say...next

 

 

 

 

 

[steven36]

3 hours ago, stylemessiah said:

Anyone want to guess how many have gone on to be more than the usual "look what we did in a closed enviroment/lab we fully control" enviroment?

 

Almost fricking zero

it's just common sense most exploits done in a lab never caused a problem because most of the time Microsoft and other software vendors  patched them before it went in the wild .  why you think  Big Tech  pay out  a   ton of  money too hackers every year ? It's to harden software against attack ! They don't pay all that money out because they want too .Big Tech are tight wads .They pay good but they lay people off all the time. and use naive people for labrats If you don't pirate Windows you are a lab rat   and many pirates are lab rats by choice , Before they harding windows back in the 90s early 2000s people got infected all the time. Windows XP before they harden it pre  SP2 you would catch a virus in about 10 minutes if you didn't install a 3rd party firewall .Sygate Personal Firewall was the one i used i got a key off p2p back then. that's whats wrong with Windows you got millions of people who believe  using stuff that was invented for the 1990s Early 2000s  security based on before windows got hardened  will protect them in 2019   and it want  .Hackers are way ahead there in 2019 while security apps are 11 years behind times .  And  there is no way to know witch drivers to disable because  it's not a matter of public record .Microsoft removed there POC from github because there already being sued for allowing hackers work on github .  Microsoft payed  sandbox escaper big bounty before and  now he drops 0 days in the wild now .

 

Same as wantacry another hole they found in newer windows that infected  people with a virus and malware  it was patched months before it was used in the wild and still many didn't  patch and got infected ,people who run  servers and things are bad about not shunting down long enough to do updates. That why they have live patching on Linux now to patch without rebooting ,  In last few years Microsoft even patched XP 2 times for viruses .Windows 10 rebooted people in the middle of work before

 

All  malware is made in someones lab ,  be it a white hat or black hats lab , Someone invented it before they dropped  it .

 

In the USA  you can be sued for selling the government hackble software ,  Cisco got fined · $8.6 million for it just the other day for it . More stuff happens  than any of us knows because it classified . It just been in the last few years they started making private businesses fess up to Data breaches   it use to  be no one reported  it  tell they made laws in the USA on and still in some countries they never report it . People like you who thanks there never no threat  could be infected for years with fileless malware and never know they was infected. Many virus don't  get discovered  tell years after they was made. The goverment uses them for  years most likely the same hackers  that be patching your software  are the ones that helped them make them too, Because they all work for Google ,Facebook and Microsoft now.

 

Lowjack malware witch is the same type of malware as above was in the wild. Were they infected a legit software  it infected UFEI.

 

LoJack for computers used to attack European government bodies

https://blog.malwarebytes.com/cybercrime/hacking/2018/10/lojack-for-computers-used-to-attack-european-government/

 

Most all state hackers  use legit  software   to spreed malware , You remember , CC Cleaner  , Linux Mint   are a few that comes too mind ? They was one the other day that was spreading malware  I forgot the name of it .  and some state hackers steal cash  as well  form the conman folks they just don't  hack for info.  It depends on witch country they from if they in places  that have there trade cut off  they steal money for there governments .Some moonlight and steal it for themselves