It appears a major security flaw in Windows 10 has been discovered, and triggering it can be as simple as plugging in a Razer device.
As MSPoweruser reports, a ‘white hat’ hacker, jonhat, has discovered that when you plug in a Razer mouse into a new system, Windows Update will download and run the RazerInstaller program, which installs the Razer drivers, as SYSTEM. Basically, this grants the user the highest level of permission in Windows 10, allowing someone to access and change very important files and settings in the operating system.
While it appears that the software is only supposed to use SYSTEM privileges temporarily for installing the drivers, jonhat found that during the process, you can change the installation location of the drivers.
This opens up a Windows Explorer window, and then by holding down Shift on the keyboard and right-clicking in the window, you can open up the Powershell terminal with SYSTEM privileges. This allows a user to do almost anything on your PC – a scary prospect if a malicious user uses this method.
Need local admin and have physical access?- Plug a Razer mouse (or the dongle)- Windows Update will download and execute RazerInstaller as SYSTEM- Abuse elevated Explorer to open Powershell with Shift+Right clickTried contacting @Razer, but no answers. So here’s a freebie pic.twitter.com/xDkl87RCmzAugust 21, 2021
How worried should you be?
This all sounds rather worrying, but how much danger does it put you in? For many people the threat isn’t immediate. A malicious user would need physical access to your PC to plug in a Razer device (or spoof its USB ID, fooling the PC into thinking any USB device is a Razer one), and run the Razer installer.
If your PC is a desktop device in your home, and only you have access to it, then the risk is pretty low. Of course, if you use a laptop that can be stolen, the threat is more severe, but again you’d be unlikely to fall victim to it.
We contacted Razer, and the good news is that the company is aware of the issue and is working to fix it. A Razer spokesperson told us that “We were made aware of a situation in which our software, in a very specific use case, provides a user with broader access to their machine during the installation process.
“We have investigated the issue, are currently making changes to the installation application to limit this use case, and will release an updated version shortly.”
This is the outcome that jonhat wanted. ‘White hat’ hackers are people that use their hacking expertise for good, finding security flaws in software and alerting the developers so that they can be fixed.
Of course, making the flaw public brings a certain amount of risk that malicious hackers will learn how to use the security issue, but jonhat claimed that they had tried to contact Razer, but initially got no reply.
By publicly announcing the flaw, it seems that it brought the attention to Razer, and jonhat later announced that the company had been in touch with him and assured him that they were working on a fix. In a rather nice ending to this tale, Razer also offered jonhat a bounty (reward) for finding the flaw, despite him publicly disclosing the issue.
I would like to update that I have been reached out by @Razer and ensured that their security team is working on a fix ASAP.Their manner of communication has been professional and I have even been offered a bounty even though publicly disclosing this issue.August 22, 2021
Analysis: who’s to blame?
So, with Razer looking into the issue, should we all breathe a sigh of relief? Perhaps not, as like the PrintNightmare security issues in Windows 10 earlier this year, it shows that Microsoft’s operating system still has major problems with how it handles third party drivers, and how it still suffers from security issues.
This paints a more worrying picture for Windows 10 – as if this security issue has been found, how many more similar ones are out there? This security flaw may specifically use Razer software, but at the end of the day, it’s Microsoft’s duty to ensure that its operating systems can’t be compromised like this. The fundamental roots of this flaw, then, lie with how Windows 10 handles third party drivers.
For Razer’s part, it has at least now acknowledged the problem and is working on a fix. We’re pleased to see it offering a bounty to jonhat as well. As the Razer spokesperson told us, “We are committed to ensuring the digital safety and security of all our systems and services, and should you come across any potential lapses, we encourage you to report them through our bug bounty service, Inspectiv.”