Big bunch of bad drivers

Topic

New Reply

At the DEFCON conference this week, a security company called Elysium released quite a bombshell: Our analysis found that the problem of insecure driv
[See the full post at: Big bunch of bad drivers]

5 users thanked author for this post.

jburk07, Myst, Microfix, Pepsiboy, satrow

Reply | Quote

Replies

I has a skim through the available vendor data relevant to my PCs (Intel/ASRock/ASUSTek/nVidia/Realtek) earlier, all affected drivers belonged to utility software – not to hardware drivers – and I’ve seen enough BSODs caused by vendors ‘utilities’ over the last decade or so to steer well clear of them.

Drivers only FTW.

8 users thanked author for this post.

rc primak, wavy, HiFlyer, Myst, Lugh, Microfix, Bluetrix, woody

Reply | Quote

[Alex5723]

satrow wrote:

all affected drivers belonged to utility software – not to hardware drivers

Not just drivers but major BIOS vendors as well.

• This reply was modified 5 years, 9 months ago by Alex5723.

2 users thanked author for this post.

rc primak, HiFlyer

Reply | Quote

Alex5723 wrote:

Not just drivers but major BIOS vendors as well.

I read the articles and checked the details as pertinent to my systems, I couldn’t check what’s not out there yet.

Reply | Quote

May/may not be applicable to the subject to help folk but, I usually virus scan/extract setup files to a temp location and install device drivers via the Device Manager where possible since Win2000 (all Windows OSes excluding W10) Sometimes this is not possible so I ensure that setup files are ‘Custom Installed’ as a rule checking ALL the tick boxes during installation process.

Windows - commercial by definition and now function...

1 user thanked author for this post.

HiFlyer

Reply | Quote

I wonder if something like this might not also cause problems when running other operating systems besides Windows (e.g. Linux, macOS… ) or whether this is limited entirely to Windows.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

2 users thanked author for this post.

rc primak, HiFlyer

Reply | Quote

Eh, the Windows device drivers don’t work on anything but Windows, and Eclypsium’s published materials only seem to deal with specifics on Windows.

The problem in general isn’t restricted to Windows though. Writing secure drivers is hard if you really think about it… like that one case where a faulty disk on one bus triggered a chain of faults eventually leading to an out-of-bounds write in the kernel…

(Was on something other than Windows, Linux or Mac. Supposed to be high availability and able to cope with losing the entire bus and all the disks on it without interrupting service. Well duh, just losing them is one thing, having them still exist but return bogus metadata…)

Wasn’t authorized to let them take the hardware back for testing but there was a mass storage layer security patch shortly afterwards anyway.

2 users thanked author for this post.

rc primak, Bertram Pincus

Reply | Quote

So should we go to the vendor of each hardware we have and download the appropriate driver or just sit on it?

Reply | Quote

Sit tight for now.

See Alex5723’s detailed answer below.

2 users thanked author for this post.

rc primak, walker

Reply | Quote

If you are a laptop owner then the GPU drivers more than likely have to come from the laptop’s OEM and not directly from Nvidia(Discrete Graphics drivers for the most part), AMD(Integrated and Discrete graphics drivers) , and Intel(Integrated graphics drivers).

Some laptop OEMs have modded graphics drivers that can not be serviced by anyone but that laptop’s OEM so driver updates may never come for some.

As far as other Laptop Drivers it’s best to look to the laptop OEM’s drivers for that specific make and model of laptop first to see if they are generic drivers that can be serviced by the GPU makers instead of only the Laptop’s OEM, but really laptops are not as easy to get even current graphics driver updates for other issues and not only just this Security Issue.

If you have purchased any of the business grade laptops then that level of OEM laptop service is going to be better over a longer time frame for most issues. For example, I have a 2012 made laptop that’s from HP that’s a business grade ProBook and the UEFI/BIOS firmware support has been good for the Intel Spectre/Meltdown microcode updates from from Intel via HP and even the HP Intel Integrated Graphics drivers have been getting updates from HP’s website but not the AMD discrete Mobile GPU that came with the HP Probook SKU. The last update for the AMD discrete mobile GPU from HP is around 2014 and the laptop’s GPU is of such an old GPU generation(Pre-GCN Graphics) that the GPU is considered legacy hardware by AMD.

More folks use Laptops but the Online Press tends to focus on PC hardware issues more than laptop hardware/driver issues. If you are using a home built PC where you have sourced all of your PC parts individually then those parts(Discrete GPUs and other cards) ship with Generic graphics drivers and Firmware/Driver for the Motherboard components come regularly from the MB makers. And the majority of the Online Technical Press only focuses of the Home System Builder PC market while forgetting that for security issues that there are more laptops in use than PCs. But still laptops and security issues need to be addressed also. The GPU makers tend to offer all around better support for their PC grade Discrete GPUs and less so on Laptop/Mobile GPUs as well.

So if you have Built your own PC from off the shelf parts then its the parts makers that are directly responsible for Graphics Driver, or Motherboard Drivers, etc. If your PC comes from an OEM then its hit and miss as to if the Drivers have to come from the PC’s OEM or can come directly from the individual parts makers like GPU makers/etc. OEM laptops are all pretty custom affairs and are not built from off the shelf parts so that’s mostly the job of the laptop OEMs to support their individual products.

 

1 user thanked author for this post.

rc primak

Reply | Quote

OscarCP wrote:

I wonder if something like this might not also cause problems when running other operating systems besides Windows (e.g. Linux, macOS… ) or whether this is limited entirely to Windows.

This is not a problem that is specific to Windows — all the major operating systems support running third-party drivers inside the kernel space.

The problem is more prevalent on Windows since there are more manufacturers targeting the platform with drivers.  I’m sure if researchers looked hard enough, they’d find a number of vulnerabilities in drivers produced for macOS as well.

The cool thing about macOS here is that they do have their Gatekeeper functionality, along with some basic anti-malware capabilities, which allows Apple to reach out to every Mac configured to allow it to automatically disable bad drivers.  They did this recently with Zoom video conferencing software.

Linux is a whole different story, since many more drivers are actually included with the kernel and are therefore both open-source and carefully peer-reviewed before inclusion.  But if there is a bad driver, it still requires that administrators update their Linux systems manually.

 

 

3 users thanked author for this post.

rc primak, Bertram Pincus, OscarCP

Reply | Quote

warrenrumak wrote:

This is not a problem that is specific to Windows — all the major operating systems support running third-party drivers inside the kernel space.

Exactly.

This is also why “microkernel” systems with most drivers segregated were thought to be so attractive in theory. It’s just, this has tradeoffs that make it sort of unattractive for a general-purpose operating system.

Though, anything with unrestricted DMA is able to do all kinds of damage anyway, and many device drivers need that… except if you have working permission management down to the system bus, in hardware. Most general purpose systems don’t. (See also the Thunderbolt security issues – full hardware DMA from an external USB-C connector…?)

warrenrumak wrote:

Linux is a whole different story, since many more drivers are actually included with the kernel and are therefore both open-source and carefully peer-reviewed before inclusion.  But if there is a bad driver, it still requires that administrators update their Linux systems manually.

Also drivers can get fixed, at least for security, even without participation from the hardware vendor. Leading to the usual kinds of problems with “supported driver versions”, occasionally … but on average it’s a lot better anyway.

3 users thanked author for this post.

rc primak, Bertram Pincus, Ascaris

Reply | Quote

[Alex5723]

Links to Elysium blog and DefCon presentation : https://www.askwoody.com/forums/topic/over-40-drivers-backdoor-2/

Elysium also promised to soon release a script on GitHub https://github.com/eclypsium/Screwed-Drivers that would help users find wormhole drivers installed on their systems, along with proof-of-concept code, video demonstrations, and links to vulnerable drivers and tools.

• This reply was modified 5 years, 9 months ago by Alex5723.

2 users thanked author for this post.

rc primak, Bertram Pincus

Reply | Quote

For Linux at least, maybe for Microsoft and Apple, this kind of published report may lead to fixing these security issues faster and more completely. At least there is now the ability to test drivers against a standard.

-- rc primak

Reply | Quote

There needs to be a Law that requires that all PCs/laptops come with Dual UEFI/BIOS chips on that device’s Motherboard with one BIOS being Read Only and UN-modifiable that is there to auto re flash the second main UEFI/BIOS that can be written to and be updated . That’s so any end user that has an infected UEFI/BIOS can return their system to a factory/Out-Of-The-Box state and then boot their system from that re-imaged UEFI/BIOS and run the UEFI/BIOS update to install the latest Secure(hopefully) Firmware image.

Laptop users that are not very schooled in UEFI/BIOS firmware updating can very easily brick their devices when updating the device’s Firmware and with all the Intel Spectre/Meltdown issues there have been loads of firmware updating to do on laptops and PCs/Motherboards.

I know that every time that I have to update my laptop’s UEFI/BIOS with a new Firmware image I have to pray that the power in not interrupted or my laptop can become a very expensive door stop that will require a service center fix for any botched Firmware update.

That’s why Dual UEFI/BIOS hardware configurations need to be required on all new OEM PCs/Laptops  and off the shelf motherboards. GPUs and other devices also have their own BIOSs  as well and any Expensive GPU should also come with a dual BIOS as well and most high end gaming GPU makers offer dual BIOS solutions as  do most Motherboard makers for the home system builder market on the higher end motherboards. It’s either dual UEFI/BIOS chips or that USB Drive flash back feature that some PC Motherboards offer where the UEFI/BIOS can be auto flashed from a USB drive image(But that Flash Back has some security issues of its own if someone get access to your Laptop during shipping or travel)

But really in light of all the BIOS/UEFI updating needed as the result of Spectre/Meltdown and other issues like this new issue that Dual BIOS/UEFI solution needs to be made a requirement and not an option.  And just hope that the Read Only UEFI/BIOS is safe from those OEM’s attempts at Pre-infecting their device firmware with Spyware.

 

3 users thanked author for this post.

GoneToPlaid, rc primak, Bertram Pincus

Reply | Quote

I’d be happy with socketed firmware (E)EPROM chips that could be pulled, reflashed in a proper PROM burner or outright replaced…

You know, like in the old days.

3 users thanked author for this post.

GoneToPlaid, wavy, Bertram Pincus

Reply | Quote

anonymous wrote:

There needs to be a Law that requires that all PCs/laptops come with Dual UEFI/BIOS chips on that device’s Motherboard with one BIOS being Read Only and UN-modifiable that is there to auto re flash the second main UEFI/BIOS that can be written to and be updated .

There isn’t any law that forces people to use PCs, so there shouldn’t be any law regarding what components should be in a PC.

1 user thanked author for this post.

rc primak

Reply | Quote

Maybe by LAW, our anonymous contributor was thinking more of a norm or standard. Obviously, laws are country-specific, so is unlikely to be “appropriate”…

However, I can see reason for having some laws about what shouldn’t be in PCs, in terms of environmental and safety considerations 😉

1 user thanked author for this post.

rc primak

Reply | Quote

Now your post is just being disingenuous as there are plenty of regulations regarding PC/laptops and other electronic devices and regulations are the same as laws and they all get posted/published  into the federal register after review.

So this dual PC/laptop Bios regulation(law) is for consumer protection for security and unless you are somehow vested in there being bricked laptops the require expensive servicing because of the BIOS/UEFI being infected or bricked.

Laptop OEMs need more regulations because of that market segment’s lack of user repair-ability and there has been an unnecessary amount of extra  BIOS/UEFI firmware patching required because of all the Intel Spectre/Meltdown microcode patching required and most consumers being required to patch their UEFI/BIOS on laptops for security reasons.

Implementing a Dual BIOS requires a rather minimal cost compared to any consumer loss of any PC/laptop device while its being set to a service center to have its BIOS replaced/re-flashed and yet your reaction against a proper minimal standard  for laptops is a bit to excessive. That’s a costly service center BIOS/UEFI re-flashing process  compared to having a backup read only BIOS/UEFI that can have its contents  re-flashed over to the main BIOS/UEFI writable/re-writable BIOS/UEFI and the laptop’s user able to start over again at a factory UEFI/BIOS state and be able to use their device again without some lose of their device while it’s being shipped and being repaired.

The PC home builder market(Motherboard Makers) has offered Dual BIOS/UEFI options all along and that comes in handy more often than not for consumers at a minimal extra cost that many PC owners and most laptops owners can afford to pay a little more if given the option.

But in the current Security Climate there are loads of Security Vulnerabilities being found that require BIOS/UEFI updates and if you game on your laptop then that’s even more UEFI/BIOS updating along with  graphics driver updates that the Laptop OEMs are sorely lacking in from a service after the sale perspective.

Reply | Quote

You just lost my support for your proposal. Laws and regulations are not meant to work this way. At least not in the USA.

-- rc primak

Reply | Quote

Can these vulnerabilities be exploited from JavaScript in a web browser?

Reply | Quote

We don’t know yet. See Alex’s post above.

cheers, Paul

1 user thanked author for this post.

rc primak

Reply | Quote

Maybe Microsoft needs to slow down on so much Windows 10 Bling and create a longer term variant of 10 while moving more software engineering resources over to fixing Security Issues and bugs that have been around for ages. Looking at some of the issues affecting MS’s OSs from XP to Windows 10 there appears to be some needed Fixing of what has been broken for years and stop with any of the new feature creep that breaks even more things more often than not.

It’s bad enough that Speculative Execution/Other hardware bugs affect multiple generations of Intel/Others processors with some more security issues with MS OSs popping up from XP on up to windows 10  and maybe MS should take a break with Windows 10 and spend a full year/longer fixing things that need fixing on most of its OSs since XP. And windows 7 through Windows 10 need fixing.

Please Note that Windows 7 for Enterprise/Volume Licensing customers will be supported until 2023, as windows 7 and 8/8.1 are essentially sharing the same Kernel with minor changes. Windows 8/8.1 will be in support until 2023 and 10 shares less but still many subsystems in 10 are not changed from those of 7/8/8.1 and even some are shared back as far as Windows XP(1).

(1)

“Vulnerability in Microsoft CTF protocol goes back to Windows XP

Insecure CTF protocol allows hackers to hijack any Windows app, escape sandboxes, get admin rights.”

Reference:
https://www.zdnet.com/article/vulnerability-in-microsoft-ctf-protocol-goes-back-to-windows-xp/

Reply | Quote

Well, isn’t that special! Now that there is a good reason to install the August Security Updates. The August Rollups and Security Only updates are not compatible with Symantec Endpoint Protection since they are signed only with SHA-2. I am sure that Symantec is quickly working on a fix. If you use Symantec Endpoint Protection, see this article about how to be notified via email when Symantec has a fix:

https://support.symantec.com/us/en/article.tech255857.html

 

Reply | Quote

We’ve only known since February that SHA-2-only patching was on the way. What have they been doing?

Reply | Quote

This isn’t an OS or software problem. It’s a vendor problem, where BIOS and component manufacturers have outsourced the writing of drivers. As this has happened, there has been less and less attention to making drivers and BIOS/EFI firmware or microcode which works, is bug-free and is secure. Vendors simply need to step up and take some responsibility, even if this adds to component costs.

-- rc primak

Reply | Quote