Skip to main content

'Screwed Drivers' Report Finds Intel, AMD and Nvidia Vulnerabilities (Among Others)

(Image credit: rawf8 / Shutterstock)

Researchers often give security vulnerabilities catchy names to help them attract more attention. Many of these monikers seem like nonsense--Heartbleed, Spectre, and Meltdown all sound more like emo bands than security flaws--but apparently the researchers at Eclypsium prefer to be a bit more direct. When the company revealed serious issues with more than 40 drivers on Saturday, it simply titled its report Screwed Drivers. (Catchy.)

Eclypsium said it found severe vulnerabilities in drivers from "every major BIOS vendor" as well as the likes of Asus, Toshiba, Nvidia, Intel, AMD, and Huawei, which is pretty bad news. But worse still was the company's realization that all of the insecure drivers had been signed by valid Certificate Authorities and certified by Microsoft. Eclypsium said this means the insecure drivers can be installed "on all modern versions" of Windows despite their flaws.

The company also explained that "there is currently no universal mechanism to keep a Windows machine from loading one of these known bad drivers" and that some features "specific to Windows Pro, Windows Enterprise and Windows Server may offer some protection to a subset of users." And that's only if administrators decide to use those features; otherwise, their Windows devices will allow the insecure drivers to be installed anyway.

Here's what Eclypsium said about the potential ramifications of these flaws:

"Vulnerable or outdated system and component firmware is a common problem and a high-value target for attackers, who can use it to launch other attacks, completely brick systems, or remain on a device for years gathering data, even after the device is wiped. To make matters worse, in this case, the very drivers and tools that would be used to update the firmware are themselves vulnerable and provide a potential avenue for attack."

More information about Eclypsium's discovery, including a Def Con presentation covering the Screwed Drivers report, can be found on the company's website. The advice for people worried about the security of their devices is the same as it is whenever other vulnerabilities are revealed: be vigilant about installing driver updates and regularly scan a system for potential threats. A partial list of vendors identified in Eclypsium's report is below.

·         ASRock

·         ASUSTeK Computer

·         ATI Technologies (AMD)

·         Biostar

·         EVGA

·         Getac

·         GIGABYTE

·         Huawei

·         Insyde

·         Intel

·         Micro-Star International (MSI)

·         NVIDIA

·         Phoenix Technologies

·         Realtek Semiconductor

·         SuperMicro

·         Toshiba

The security company said that drivers from other vendors were affected by these vulnerabilities as well. Eclypsium didn't reveal the identities of some companies because they "are still under embargo due to their work in highly regulated environments and will take longer to have a fix certified and ready to deploy to customers." That comes as little comfort when the list of affected vendors already reads like a whos-who of hardware makers.

  • hotaru251
    i mean at this point this isnt shocking....

    just assume everything has the vulnerabilities.
    Reply
  • Giroro
    I'm a little confused why they called AMD ATI Technologies.
    That branding was phased out pretty quickly after the merge, and as far as I know was never used in the context of them being a "BIOS vendor"
    Reply
  • bigdragon
    Giroro said:
    I'm a little confused why they called AMD ATI Technologies.
    That branding was phased out pretty quickly after the merge, and as far as I know was never used in the context of them being a "BIOS vendor"
    A lot of graphics cards have advertised "dual BIOS" and other firmware features over the years. I think the naming of ATI was chosen to specifically point the finger at driver and firmware issues at AMD's graphics division while leaving the CPU, chipset, and storage divisions alone. The obsolete branding is still readily understood.
    Reply
  • jimmysmitty
    bigdragon said:
    A lot of graphics cards have advertised "dual BIOS" and other firmware features over the years. I think the naming of ATI was chosen to specifically point the finger at driver and firmware issues at AMD's graphics division while leaving the CPU, chipset, and storage divisions alone. The obsolete branding is still readily understood.

    Considering who thewy have on the list currently I wouldn't be surprised if their other drivers are also part of the list of vulnerable drivers. From reading this I don't think there is anyone who is not on the list considering that this has as much to do with Windows as it does with the drivers and certificates themselves.
    Reply