Security Researchers Uncover Flaws Found in 40 Major Windows Kernel Drivers

More than 40 Windows device drivers contain vulnerabilities that could be exploited to perpetrate elevation of privilege attacks on PCs and servers.

According to a new report from ZDNet, security researchers from cybersecurity firm Eclypsium claim that the faulty drivers are responsible for powering devices by some of the world’s biggest electronics companies and BIOS makers — including Intel, Toshiba, Huawei and Asus. All versions of Windows are affected, Eclypsium claims.

The design flaws found in the drivers could allow low-privileged applications to use legitimate driver functions to execute malicious actions within the most sensitive areas of Microsoft’s Windows including the Windows kernel.

“There are a number of hardware resources that are normally only accessible by privileged software such as the Windows kernel and need to be protected from malicious read/write from userspace applications,” Mickey Shkatov, Principal Researcher at Eclypsium told ZDNet in an email earlier this week.

“The design flaw surfaces when signed drivers provide functionality which can be misused by userspace applications to perform arbitrary read/write of these sensitive resources without any restriction or checks from Microsoft,” he added.

Shkatov says that the issues he discovered are due to poor coding practices that don’t take security into account.

“This is a common software design anti-pattern where, rather than making the driver only perform specific tasks, it’s written in a flexible way to just perform arbitrary actions on behalf of userspace,” he told ZDNet.

“It’s easier to develop software by structuring drivers and applications this way, but it opens the system up for exploitation.”

Researchers said they first pinpointed the issue in April when they culled 40 insecure drivers representing 20 vendors. They then gave offending companies a 90-day window to mitigate the issues. All 40 drivers are unique and 64-bit and signed by two separate vendors, researchers said.

Shkatov points out that some vendors such as Intel and Huawei have already issued updates while independent BIOS vendors like Phoenix and Insyde are releasing updates to their customer OEMs. However, Eclypsium has not yet named all of the impacted vendors as some need extra time to address the issue.

Microsoft offered further clarity on the matter in a statement, saying:

In order to exploit vulnerable drivers, an attacker would need to have already compromised the computer. To help mitigate this class of issues, Microsoft recommends that customers use Windows Defender Application Control to block known vulnerable software and drivers. Customers can further protect themselves by turning on memory integrity for capable devices in Windows Security. Microsoft works diligently with industry partners to address to privately disclose vulnerabilities and work together to help protect customers.

For those interested in learning more, Eclypsium has published all of the details about its findings in a blog post on its site.