Razer patched Synapse, its peripheral configuration tool, to address two vulnerabilities revealed by the SecureState infosec consulting firm.
SecureState head of research Spencer McIntyre told Tom's Hardware that he discovered both vulnerabilities while working on a proprietary fuzzer--a tool used to check software for coding errors--earlier this year. The vulnerabilities were disclosed to Razer in March, but McIntyre said the company didn't respond until he contacted them on Twitter, at which point they asked him to share his findings through a separate disclosure system.
McIntyre said he then "answered the few questions they asked, voluntarily provided technical details, and offered to share proof of concept code to trigger the bugs," which Razer turned down. SecureState waited 90 days (the standard length of time between private and public disclosures) before revealing the vulnerabilities to the world in a series of blog posts in mid-July. Razer still hadn't released an update to Synapse.
We reached out to Razer after SecureState's blog posts were published. "Security is of utmost importance to Razer," a spokesperson said in a statement. "We have looked at the situation, identified a solution, and are working at releasing the fix via a software update within the next week.” That was on July 19; the patch wasn't released until August 1. (It's worth noting, however, that software updates are often delayed.)
Here's how McIntyre described the threat posed by these vulnerabilities:
The one identified by CVE-2017-9769 poses a threat to users as it could be leveraged by an attacker, or malware to fully compromise the users system. Think of a scenario where the user gets some kind of infection by visiting a website or opening a malicious email, this vulnerability could be used to go from the permissions that user has to a full system compromise.The second one identified by CVE-2017-9770 poses much less of a threat. It could be used to crash the users’ computer and potentially leak memory. The type of vulnerability it is makes it much more difficult to be used effectively in an attack than the first vulnerability.
This could have been worse. Both vulnerabilities required that a system already be compromised, McIntyre said, which means Synapse's issues merely would have worsened an already bad situation. That's not exactly good news, but it's better than if the software could've been leveraged for an initial attack. So long as you were vigilant about phishing emails, malicious links, and the like, you should have been safe.
Still, the problem highlights the growing importance companies must place on security. PC gamers install all kinds of software--tools like Synapse that let them configure their mice, keyboards, and other peripherals; hardware monitoring tools such as MSI Afterburner or EVGA Precision XOC; and countless other apps used to complement their gaming experience. Attackers could target all those tools in their efforts to find victims.
You can download the Synapse update from Razer's website. We've asked the company to provide detailed patch notes to see if it informed its customers about the vulnerabilities--we haven't seen any disclosures on its website or forums--but we have yet to receive a response. We've also asked SecureState if it has examined the updated version of Synapse to confirm that both vulnerabilities are no longer present.