At the DEF CON 27 security conference in Las Vegas, Eclypsium security research team uncovered serious security flaws in more than 40 device drivers from 20 different vendors. These flaws could allow attackers to deploy malware on the vulnerable devices.
“Drivers that provide access to system BIOS or system components for the purposes of updating firmware, running diagnostics, or customizing options on the component can allow attackers to turn the very tools used to manage a system into powerful threats that can escalate privileges and persist invisibly on the host,” Eclypsium wrote in its report.
These drivers can provide an attacker the most privileged access that can be used to launch malicious actions within all versions of Windows including Windows Kernel. All the affected drivers are certified by Microsoft.
In a statement to ZDNet, Mickey Shkatov, Principal Researcher at Eclypsium noted that the design flaw in Windows device drivers have a functionality that can be misused to perform read/write of sensitive resources without any restriction from Microsoft. Shkatov blamed bad coding practices as the major cause of this issue.
Below is a list of some of the affected vendors and hardware manufacturers as published by Eclypsium researchers:
- American Megatrends International (AMI)
- ASUSTeK Computer
- ATI Technologies (AMD)
- Micro-Star International (MSI)
- Phoenix Technologies
- Realtek Semiconductor
“Microsoft will be using its HVCI (Hypervisor-enforced Code Integrity) capability to blacklist drivers that are reported to them,” Shaktov said.
However, the HVCI feature is available on 7th gen Intel CPUs and newer processors only. For older operating systems, manual installation would be needed, as well as the newer ones where HVCI can’t be enabled.
Furthermore, Microsoft recommends its users to use a Windows Defender Application Control or turn on memory integrity for supported devices in the Windows Security to block malwares in software and drivers.