Windows Driver Vulnerabilities Exposed at DefCon Security Conference

During the 27th annual DefCon computer security conference, researchers working with Eclypsium exposed serious vulnerabilities they discovered in a variety of Windows drivers. The main flaw outlined in the report was that drivers allowed applications running with low privileges in the userspace portion of the system to gain unwarranted access to the system kernel. Drivers operate on a different level than regular software like, for example, Microsoft Office does, so the design flaw in the few dozen drivers mentioned in the report allowed bad actors to slip through, exploiting the flaw in the driver's design, and gain full access to the compromised system. All the problematic drivers were drivers that have been digitally signed by Microsoft.

Mickey Shkatov, one of the Eclypsium researchers on the DefCon panel, attributed the resulting driver flaws to poor coding practices on part of the hardware manufacturers and insufficient attention given to potential security issues. Shkatov explained that drivers are increasingly more often coded in a way that allows them to "perform arbitrary actions on behalf of userspace", instead of being strictly limited to the very specific purpose they serve.

The researchers also outlined this as a very serious issue because on the one hand, the hardware manufacturers assume that Microsoft is looking for this sort of issue before digitally signing drivers, while on the other hand, Microsoft expects the vendors to use safe code in their releases.

Hardware vendors who made it on the impacted driver list include big names such as NVidia, AsusTek, AMD, EVGA, Gigabyte, Intel and Toshiba. All those vendors have since been notified by the research team and have pushed driver updates. To further diminish any potential damage to systems running vulnerable drivers, Microsoft will be leveraging the Windows 10 Hypervisor Code Integrity (HVCI) capabilities to put reported problematic drivers on a blacklist.

Excessive panic over the driver issue is not warranted. As the researchers pointed out, in order to gain access to the system's kernel, a bad actor will need to have compromised the target system beforehand - the driver itself cannot be used as a point of entry, but rather as a deeper trench that a bad actor who has already infiltrated the system can dig.