Researchers often give security vulnerabilities catchy names to help them attract more attention. Many of these monikers seem like nonsense--Heartbleed, Spectre, and Meltdown all sound more like emo bands than security flaws--but apparently the researchers at Eclypsium prefer to be a bit more direct. When the company revealed serious issues with more than 40 drivers on Saturday, it simply titled its report Screwed Drivers. (Catchy.)
Eclypsium said it found severe vulnerabilities in drivers from "every major BIOS vendor" as well as the likes of Asus, Toshiba, Nvidia, Intel, AMD, and Huawei, which is pretty bad news. But worse still was the company's realization that all of the insecure drivers had been signed by valid Certificate Authorities and certified by Microsoft. Eclypsium said this means the insecure drivers can be installed "on all modern versions" of Windows despite their flaws.
The company also explained that "there is currently no universal mechanism to keep a Windows machine from loading one of these known bad drivers" and that some features "specific to Windows Pro, Windows Enterprise and Windows Server may offer some protection to a subset of users." And that's only if administrators decide to use those features; otherwise, their Windows devices will allow the insecure drivers to be installed anyway.
Here's what Eclypsium said about the potential ramifications of these flaws:
"Vulnerable or outdated system and component firmware is a common problem and a high-value target for attackers, who can use it to launch other attacks, completely brick systems, or remain on a device for years gathering data, even after the device is wiped. To make matters worse, in this case, the very drivers and tools that would be used to update the firmware are themselves vulnerable and provide a potential avenue for attack."
More information about Eclypsium's discovery, including a Def Con presentation covering the Screwed Drivers report, can be found on the company's website. The advice for people worried about the security of their devices is the same as it is whenever other vulnerabilities are revealed: be vigilant about installing driver updates and regularly scan a system for potential threats. A partial list of vendors identified in Eclypsium's report is below.
· ASUSTeK Computer
· ATI Technologies (AMD)
· Micro-Star International (MSI)
· Phoenix Technologies
· Realtek Semiconductor
The security company said that drivers from other vendors were affected by these vulnerabilities as well. Eclypsium didn't reveal the identities of some companies because they "are still under embargo due to their work in highly regulated environments and will take longer to have a fix certified and ready to deploy to customers." That comes as little comfort when the list of affected vendors already reads like a whos-who of hardware makers.