[HN Gopher] Razer bug lets you become a Windows 10 admin by plug...
___________________________________________________________________
Razer bug lets you become a Windows 10 admin by plugging in a mouse
Author : giuliomagnifico
Score : 309 points
Date : 2021-08-23 07:52 UTC (15 hours ago)
(HTM) web link (www.bleepingcomputer.com)
(TXT) w3m dump (www.bleepingcomputer.com)
| swamp_gas wrote:
| "its not a bug, its a feature"
| 0xbadcafebee wrote:
| This should qualify as a modern-day Captain Crunch whistle.
| a-dub wrote:
| surprising that the auto-fetch/install stuff allows for non msi
| based installers. there's a whole vetting process for drivers,
| you'd think msi would be a requirement.
|
| why non msi based installers still exist in any form in 2021 is a
| mystery to me.
| nicolas_t wrote:
| Shouldn't Jonhat disclose it to Microsoft before publishing it as
| a zero-day? This would really be something that Microsoft can and
| should block on their side.
|
| It's a bit crazy that Windows downloads and install random
| drivers when plugging in a device when a non-admin user is logged
| in and that should be fixed but besides this, they also have a
| way to block the offending driver for a while. Publishing it as a
| zero-day instead feels a bit irresponsible
| dang wrote:
| This is related to a different thread which is currently at #1:
|
| _My mouse driver is asking for a firewall exemption (2019)_ -
| https://news.ycombinator.com/item?id=28274305
|
| Normally we'd downweight one or the other
| (https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor...)
| but in this case I don't think that makes sense.
| ApexCan wrote:
| They appear to be two unrelated issues.
| dang wrote:
| Technically unrelated yes, but the one post seems clearly a
| follow-up to the other. Normally we downweight those, since
| avoiding repetition is a principle here:
|
| https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor.
| ..
|
| https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so.
| ..
|
| In this case that didn't seem indicated though.
| smoldesu wrote:
| This is part of why I don't use Razer (or Microsoft) products
| anymore.
|
| Razer's UX is _horrible_ on Windows, which is a shame since that
| 's where most of their customers will use their products. The
| moment you plug in a Razer device, Windows starts downloading a
| 300mb installer that will prompt you to install the Razer
| management software each time you reboot/plug in the device. If
| you deny it, Windows will keep the installer and ask you next
| time anyways.
| gsibble wrote:
| Good lord.......I've been on Linux for years and rarely look at
| Windows anymore but that's dumb on so many levels. Come to
| Linux. It's nice over here.
| EastSmith wrote:
| Recently my son is using / installing lots of gaming peripherals
| and software for it and I have to say that I have not seen this
| much crapware bullshit since Windows XP (with no Service Pack).
|
| If you want to setup the LED lights for your fans - you must
| install this crap; if you want to customize your mouse somehow -
| install this other crap. Same companies have not one, but two
| software _suits_ that manage different peripherals.
|
| Razer is the worst of these. Asus ROG takes second place.
| rodgerd wrote:
| > Razer is the worst of these.
|
| Given Razer's general shenanigans, such as tracking mouse and
| keyboard behavior and sending it to their cloud (without which,
| by the way, much of their new hardware simply won't work),
| their unintentional breaches of security pale in comparison to
| their deliberate breaches of privacy.
| Rd6n6 wrote:
| IIRC, razer kb eulas used to have clauses about collecting
| keystroke data for analysis maybe 10 years ago. Not sure if
| it's still a policy or not or what they did with the
| keylogger or how extensive it was
| chris37879 wrote:
| Or my personal favorite: The old tool that did exactly what you
| wanted, didn't need to start with the system, and didn't
| require login gets 'upgraded' to a more intrusive new version
| that has 1/10th as many features and doesn't work right
| anymore.
| eyegor wrote:
| The windows 10 settings app takes personal offense to this
| comment
| chris37879 wrote:
| <Start Key> Control Panel
|
| "What are you crying for, Windows 10 piece of shit settings
| app that doesn't understand how to let me control
| individual sound devices the way I want?"
| crtasm wrote:
| I had to install software to _turn off_ the lights on my CPU
| cooler (wraith prism included with an AMD CPU) - it 's
| ridiculous.
| orhmeh09 wrote:
| I had to install drivers from the Arch User Repository to
| turn off the lights on a Razer keyboard. It still stays lit
| and in color-cycle mode unless it's plugged in directly to a
| USB port on the laptop.
| sandyarmstrong wrote:
| Same for me and my GPU!
| LanternLight83 wrote:
| If you're exclusively running Linux, you actually _can 't_
| turn off the lights on a GTX3000-Series card :c
| eyegor wrote:
| I'd just open up the card and unplug the cable to the
| lights. It's not a bad idea to open up the card to reapply
| thermal paste/pads anyway if you're hitting the card hard,
| a lot of manufacturers don't do a great job with heatsink
| contact, thermal paste quality, or both. On the lower tier
| cards in their product stack half the time there won't even
| be thermal pads on the vrm or memory chips. And recently I
| saw a post where powercolor forgot to remove the tape from
| the thermal pads at the factory [0]. And no, in most
| countries they can't void your warranty for opening it up.
|
| [0] https://www.reddit.com/r/Amd/comments/oyu1j6/thanks_pow
| ercol...
| chris37879 wrote:
| I had been meaning to google how to do that... thanks for
| saving me the time :(
| munchbunny wrote:
| Does that mean you have to temporarily install Windows or
| plug it into a PC with Windows, turn off the lights, and
| then go about your day with Linux?
| f0e4c2f7 wrote:
| I recently picked up a new mouse and was shocked by how much of
| a problem this has become.
|
| For RGB controls check out https://openrgb.org/.
|
| The UI is pretty bad but once you figure it out it works great
| otherwise.
|
| As an aside, are there any periferal brands that are known for
| minimalist drivers etc?
| xxpor wrote:
| My Glorious Model D and Model O mice works perfectly fine
| with the normal HID driver. I suppose there's an app for RGB
| control and changing the DPI settings but the defaults are
| fine for me. It doesn't attempt to download anything when I
| plug it in.
| 10000truths wrote:
| I'm just going by the screenshot on the website, but I think
| the UI looks fine just the way it is.
| bluecalm wrote:
| Not surprised. I once bought top of the line Razer mechanical
| keyboard. The software if a steaming pile of crap and a known bug
| (random spamming of c key when pressing Ctrl + c) makes it
| unusable. Avoid.
| herpderperator wrote:
| There are a lot of issues here, but isn't a glaring one the fact
| that any random file browser window lets you get a shell?
| Shouldn't this be something for the developer to disable for
| their particular program if their use case of browsing to choose
| an install folder in no means requires it? Do the Microsoft APIs
| even allow for this kind of configuration?
|
| Given they already have admin rights it's basically game over,
| but not having the option to open a shell would have still
| reduced the attack surface and required a "real" exploit to do
| so.
| jgoldshlag wrote:
| Not really, the windows file browser also lets you create and
| move files and directories. I guess you could ask to go down
| the route of not allowing that, but directory creation for one
| is super common.
| cube00 wrote:
| How do companies _still_ think it 's acceptable to ignore
| responsible disclosure in the hopes the problem just goes away?
|
| Even companies with the most automated non-existent customer
| service know they need to provide separate channels for legal and
| security so that actually get read by a human.
| mhh__ wrote:
| Because it would mean spending money and the buck stopping
| somewhere other than the void.
| dspillett wrote:
| It could be user or system or prices error rather than malice
| in this case: the message not getting to the right person
| (general mail fail, people monitoring that target being
| unavailable, misidentification as junk, ...) or that
| person/group missing it assist a sea of other comms. We don't
| know how much effort was made to chase a response.
|
| Their response after the issue hit social media was far more
| decent than companies have done in the past:
|
| _> I would like to update that I have been reached out by
| @Razer and ensured that their security team is working on a fix
| ASAP. Their manner of communication has been professional and I
| have even been offered a bounty even though publicly disclosing
| this issue._
| andix wrote:
| They probably just don't read their emails or messages.
|
| Maybe customer support agents are just very badly trained. Or
| there is a second/third/forth level that investigates those
| emails, but they are getting too many messages to go through
| all of them.
| vmception wrote:
| wait this is an argument in _favor_ of the practices that are
| currently called responsible disclosure?
|
| somebody NFT this post
| waterhouse wrote:
| I was asking, "How can a Razer bug let you break into Windows? Is
| it a Razer device driver?" Yes. I'll just quote jonhat's tweet
| from the article: Need local admin and have
| physical access? - Plug a Razer mouse (or the dongle)
| - Windows Update will download and execute RazerInstaller as
| SYSTEM - Abuse elevated Explorer to open Powershell with
| Shift+Right click
| azalemeth wrote:
| Wow. That's a Windows 98 level of "school kid" privilege
| escalation bug...
| ronsor wrote:
| For reference: https://imgur.com/r/hacking/rG0p0b2
| VelkaMorava wrote:
| That's impressive
| azalemeth wrote:
| Hah, I like that one. The other classic is Right Click ->
| New -> Shortcut -> cmd.exe in an explorer "open" window,
| typically one in an otherwise very locked-down environment.
|
| This has recently got me service access on an old (but new
| in 2009!) ultrasound machine, for example, for getting raw
| data and dicom images off in a hurry when the proper
| authentication details were lost...
| lostlogin wrote:
| > ultrasound machine
|
| The real boss move was navigating a machine with a UI
| that involved a trackball, keyboard, touch screen(s),
| touch pad, weird array of custom buttons and a truely
| stupid menu system.
|
| Configuring US machines is horrible.
|
| But my major US machine rant is them burning metadata
| into the images (rather than displaying DICOM tags as an
| overlay). It's is beyond ridiculous.
| azalemeth wrote:
| Exactly! MR ("my" modality) has it right -- raw data and
| reconned images are very, _very_ different and although
| most raw data never ends up in a dicom the mere fact that
| you genuinely _could_ reconstruct dramatically different
| bits of info (e.g. magnitude vs phase images) means that
| the vast expanse of the dicom spec is wide enough to
| encompass all possible metadata requirements.
|
| US machines do a lot of fun physics on proprietary FPGAs.
| For inexplicable reasons, every one I've ever worked with
| or done echo with saves the images as some variation on a
| theme of screenshots, shoehorned badly into a dicom
| wrapper, with the metadata burned at 640x480 px (or
| similar) on top. Even for clever derived modes like
| doppler -- even for annotations showing things like
| cardiac E/E' or E/A. They are laptops with a custom
| pcmcia / pcie card and a 100k-UNIT_OF_CURRENCY price tag,
| inevitably running a shitty OS with a shittier custom
| UI...
| lostlogin wrote:
| MRI is my modality of choice too. I'm currently loving
| most of what Siemens is up to (with some notable
| exceptions).
|
| The hell of US knows no bounds. Most modalities calibrate
| a display and then display images (with varying degrees
| of post processing). US calibrates the screen, sometimes
| with each boot or even each probe change. Their black
| levels are abysmal.
|
| > saves the images as some variation on a theme of
| screenshots
|
| GE has a habit of making DICOMs from screen grabs. I've
| seen it on their PET, CT and MR systems. It causes
| irritating problems - like reference lines won't work so
| you can't cross reference.
| guitarbill wrote:
| Apart from the security issue, it's really annoying, too. Say
| you refuse to install the Razer device driver - after all the
| mouse will largely work fine without it thanks to HID. Every
| time you plug the mouse in, Windows re-runs the driver
| installer.
| maccard wrote:
| How often do you re plug in your mouse?
| chris37879 wrote:
| Physically? Basically never. Practically? Dozens of times a
| day as I machine hop using my USB hub in my monitor.
| garblegarble wrote:
| Possibly multiple times a day if they're using a laptop
| dock
| [deleted]
| srcmap wrote:
| Is this issue equivalent of setuid 4701 on executable owned by
| root in Linux?
|
| What's the easiest way to scan whole windows file system for
| directories with this issue?
| cjbprime wrote:
| (It wouldn't help to scan the filesystem, since the way the
| vulnerability works is that the driver will be automatically
| downloaded and run when a peripheral's plugged in.)
| hjek wrote:
| > What's the easiest way to scan whole windows file system
| for directories with this issue? tree c:\
| /f prn
|
| Source: https://docs.microsoft.com/en-us/windows-
| server/administrati...
| tomc1985 wrote:
| This was exactly how I was able to break out of an unprivileged
| user account in Windows XP, except it involved setting a timer
| with `at`
| d23 wrote:
| Never buying another razer device after I recently found out that
| the user agreement allows them to collect all the keystrokes from
| my keyboard and send them to their company -- you know, so I can
| customize my keys' colors.
| hsbauauvhabzb wrote:
| Can you provide citation on this?
|
| Edit: I'm genuinely curious about it, as opposed to accusing
| you of lying.
| tyingq wrote:
| https://www.razer.com/legal/services-and-software-terms-
| of-u...
|
| <ctrl-f>keystrokes
|
| It does mention you can turn it off, but still sounds over
| the top to me.
|
| _" Mouse Usage Statistics. Synapse 2.0 offers a feature of
| collecting mouse usage statistics, specifically keystrokes,
| mouse-clicks, wheel-rotations and pointer distance travelled.
| Such collection of statistics may be turned on or off within
| Synapse and is under your own control."_
| gruez wrote:
| From my reading of the paragraph it looks like that feature
| is totally local? A few sentences before they list out all
| the data they collect and send to razer, but the sentence
| about keystrokes doesn't give any indication it's sent to
| them.
| hhsbz wrote:
| The actual problem here is that Microsoft allows OEMs to install
| user space programs via their drivers, which are installed
| automatically without user intervention using Windows Update.
| This is unacceptable. Microsoft should only accept kernel mode
| drivers. If users want user space tools they can find them in the
| OEM website.
| Aerroon wrote:
| While what you're saying would be nice, I think if this were to
| be enforced then it would end up going like the nvidia control
| panel. You install your drivers and if you want access to the
| nvidia control panel then you have to install them from the
| Microsoft Store.
| toast0 wrote:
| That would be fine for me. I don't want or need the control
| panel for the most part. Just like do the driving please,
| thanks.
| arghwhat wrote:
| Uhm. If you can't trust them to write a user-mode program
| without messing up security this badly, you _absolutely_ can 't
| trust them to write a kernel-mode driver without completely
| screwing everything up. Not to mention one that is
| automatically downloaded and installed whenever something shows
| up claiming to be a particular vendor/product ID!
| mrweasel wrote:
| I still don't get why companies who design hardware a so poor
| at writing drivers/supporting software. They design and test
| hardware, because recalls are expensive, but somehow feel
| like shipping shitty software is just fine.
|
| Why is it so hard to priorities good drivers? Or is it just
| impossible to hire good driver developers?
| GrumpyYoungMan wrote:
| Well there's 1) The businesses that sell hardware are run
| by people whose expertise is hardware, not software and 2)
| the type of people who have the right combination of skills
| and inclination to write drivers are rare but also can earn
| a lot more doing other type of software (hardware margins
| aren't all all that high compared to software).
| neverminder wrote:
| This seems to work for Linux kernel just fine when every pull
| request is audited.
| arghwhat wrote:
| This is Windows where kernel drivers are proprietary and
| written by random companies that do not care about anything
| but shipping things. The same company that messed up
| completely in usermode.
| andix wrote:
| Would be an interesting step, if Microsoft would only allow
| open source drivers into Windows Update.
|
| There could be another option: If you want to ship it
| without exposing the source, you need your drivers vetted
| by some third party that has access to the code.
| LennyWhiteJr wrote:
| It has nothing to do with 'trusting them' and everything to
| do with the threat model because it significantly increases
| the attack surface area.
|
| Just because I want to grant system access to a relatively
| simply USB driver doesn't mean I want to grant the same
| access to a 150MB UI app.
| glitchc wrote:
| I think the OP's point is that any malicious code residing
| in the USB driver has access to a much larger attack
| surface in kernel space than the UI app running in
| userspace.
|
| If I were attacking the system along this vector, my
| exploit would sit in the USB driver, not the UI code.
| gsibble wrote:
| Same. Was wondering when the conversation would get
| around to this.
|
| You could take advantage of being SYSTEM much earlier
| along this cycle and still take control of the computer.
| This is actually a very nasty bug in how arbitrary code
| can be run at SYSTEM level when inserting a usb device.
| Dylan16807 wrote:
| This isn't about malicious code _in_ the drivers.
|
| And once malicious code is in kernel space it wouldn't
| even need access to an attack surface.
| hhsbz wrote:
| I expect the developers who write the kernel mode drivers to
| be much more competent and senior than those who write the
| flashy, slow GUIs that come with them. Yes, naive assumption,
| but still!
| the8472 wrote:
| Exhibit A: Turing-complete font hinting language evaluated
| in kernel mode. Found to be exploitable.
|
| https://googleprojectzero.blogspot.com/2015/07/one-font-
| vuln...
| jnwatson wrote:
| Not at all. The only thing going in favor of the kernel
| mode drivers is that they have to pass Microsoft's approval
| process.
| zenexer wrote:
| I wish that were the case--I also wish it were the case
| that "senior" meant "competent." Judging by the number of
| device drivers I've had cause serious problems, especially
| with consumer gaming hardware (as is the case here), I
| don't think it's safe to make any assumptions about the
| quality of drivers.
|
| For anyone else reading this who's feeling smug because
| they would never buy such a device: you don't need to; only
| the attacker needs to. Windows will happily download and
| install the drivers automatically the first time the device
| is plugged in.
| vlovich123 wrote:
| It's also not about seniority or competence. Writing
| kernel mode drivers is being given the task of juggling
| running chainsaws with real chains while on a balancing
| board. "Success" is declared when you're able to do this
| in a lab without there being an issue, ignoring the fact
| that in the real world there are dodgeballs being thrown
| at you. Also, no one I've ever worked with writing them
| has ever wanted to maintain & improve the quality of the
| drivers they wrote - they wanted to move on to
| "interesting" work as quickly as possible. This includes
| myself. The work isn't interesting, fun & usually not
| important to the business.
|
| In this case, why does a mouse driver need to live in the
| kernel in the first place? Microsoft should be improving
| the HID layer to make that unnecessary.
| arghwhat wrote:
| They don't even need to buy the device, they just need
| something presenting that PID/VID.
|
| Foe a $2 example, see:
| https://github.com/chris408/digispark-usbkey-board
| (PID/VID set here: https://github.com/chris408/digispark-
| usbkey-board/blob/6f0a...). And yes, it can be much, much
| smaller than this.
| aYsY4dDQ2NrcNzA wrote:
| Speaking as someone who worked at major software companies,
| on projects which included multiple kernel drivers:
|
| You are sorely mistaken.
| jeffbee wrote:
| I would say that the higher you get up the privilege
| level tree, the worse the software becomes. The people
| writing legacy BIOS extensions are the absolute bottom of
| the barrel.
| glitchc wrote:
| In modern software development, this is usually a task
| for the junior engineer as it's code the client never
| sees. Only in specific industries where the client is
| also highly technical (e.g. a data-acquisition component
| in an instrument) where the quality of the low-level code
| matters, would it be someone senior. In those cases, it
| usually matters a lot more than the UI.
| emodendroket wrote:
| I disagree. I want the tools to be installed. Maybe you could
| have it behave it differently for non admin.
| [deleted]
| im3w1l wrote:
| Unless the system has been vaccinated by plugging one beforehand.
| xyst wrote:
| On the plus side, now people can remove the invasive software
| installed by education institutions and some enterprise companies
| andix wrote:
| This is more a Windows bug. Bad enough for Razer customers, but
| it affects all Windows users.
|
| Windows should not install random drivers from the Internet when
| a non-admin user is logged in.
| Algent wrote:
| Windows Update should behave differently depending on what it's
| handling. If it's signed by MS sure go on, if it's a simple
| signed driver file maybe directly load it too. But for anything
| else always request admin credentials and meanwhile keep using
| generic drivers if available.
| chaostheory wrote:
| HP printers have the same bug then during installation, if you
| do it from USB.
| cosmotic wrote:
| In this case, I think it's fair to blame Razer. They are
| clearly installing way more than a driver.
| contravariant wrote:
| If Microsoft lets anyone owning a Razer mouse/keyboard do
| whatever it wants to anyone's computer then that's on
| Microsoft as well.
|
| If only Razer customers are affected then, sure let's put all
| of the blame on Razer but this affects _everyone_ using
| Windows 10. There are some very good reasons why you cannot
| simply install device drivers without admin rights and if
| Microsoft chooses to wave those rights for trusted suppliers
| then they can very much be blamed for this kind of oversight.
| andix wrote:
| Off course. But as a Windows customer I would expect
| Microsoft to prevent such issues.
| cosmotic wrote:
| I agree they should block this sort of stuff, but don't
| count on it; When I plug in a Microsoft mouse, a Microsoft
| IntelliMouse install wizard pops up.
|
| In the end, the driver is running executable code which
| could (I believe) just start an EXE install wizard anyway
| so this seems unpreventable.
| wvenable wrote:
| A privileged executable can always launch another
| executable with less privileges.
| ajross wrote:
| Well, no. It's a Razer bug. Razer wrote the software. They
| wrote it to run as admin when you plug a new device in. They
| wrote it to launch a browser (!!!) under user control. Those
| are all Razer mistakes, Microsoft didn't do that.
|
| Now, it's true that MS has a flawed architecture here. But it's
| not inherently so as I see it. Third party devices do need
| automatic driver install of some form. Drivers do need elevated
| privileges. Microsoft's model was that they'd audit and
| authenticate the software through the WHQL process. And it
| turns out that let a really glaring hole through.
|
| But the problem is just really, really hard. If you want third
| party driver software to run on your system (and not all
| vendors want that: iOS has nothing of the sort, obviously, and
| Linux vendors ship all the drivers themselves) then you need to
| be prepared to do a ton work ensuring it's safe.
| p_j_w wrote:
| >Microsoft's model was that they'd audit and authenticate the
| software through the WHQL process. And it turns out that let
| a really glaring hole through.
|
| Not to let Razer off the hook here, because they're
| responsible as well, but in doing as you've described here,
| Microsoft are have willingly placed the onus for security on
| themselves.
|
| >Linux vendors ship all the drivers themselves
|
| Not all of them. Nvidia is a famous exception to this. If you
| want to install their drivers, I don't know of a Linux distro
| that will allow you to without root privilege.
| ajross wrote:
| To be clear: there are obviously lots of third party Linux
| drivers out there. But they're delivered, installed and
| supported by that third party. Security of the NVIDIA
| driver is NVIDIA's job, and no one is surprised. And as a
| result, you need to run a tool as the root user and elevate
| the privilege level yourself to get it installed.
|
| Now, that user experience broadly sucks vs. plugging the
| same PCIe card into a Windows box and booting it up to get
| an automatically installed driver. But it's not subject to
| the same security problems either, which was my point.
| chris37879 wrote:
| There's a difference, though. Microsoft's Windows Update
| driver installer does not require launching executables,
| it never has in the past, it simply got the inf and
| supporting files and put them in the system's driver
| location. Now they're automatically running executable
| code that microsoft isn't verifying as an Administrator.
| Yes a malicious driver could be bad, but since drivers
| have a more finite api surface they should call, they can
| be audited / restricted with static analysis checks.
| launching a userspace app with admin privileges
| automatically is a bad idea.
|
| Would you be ok with the AMD kernel driver launching a
| web browser as root on first boot? Or every boot?
| [deleted]
| TillE wrote:
| WHQL means almost nothing, except that you have an
| expensive EV code signing certificate to verify your
| identity to Microsoft. At best it means that your drivers
| don't completely break the system.
| maccard wrote:
| A third party driver shouldnt be installable without local
| admin (or a UAC prompt). This is the problem.
| II2II wrote:
| I don't have much experience under Windows so I may be a bit
| off here, but this article mentioned the driver was installed
| by Windows Update from a non-administrative account, made no
| mention of UAC popping up to get administrative credentials,
| and allowed the installer to present a user interface. The
| installation wizard allowed for interactions that are
| intended for people who manually download and execute the
| driver package, which is fine in that context since the end
| user has already provided or has to provide administrative
| credentials at a UAC prompt. It is not fine in this case
| since a standard Windows component with elevated privileges
| is allowing the end user to circumvent restrictions on their
| account.
|
| Clearly Razer played a role here since they were doing
| something that is (from my experience) unusual by presenting
| a wizard during a Windows Update installation. On the other
| hand, this is a fault that Microsoft has to fix.
| chris37879 wrote:
| It's a new 'feature' of Windows update. In the past, driver
| vendors that were supplying to the Windows Update driver DB
| only had the option of providing infs and firmware,
| basically. I think they could provide apps too, but they
| had to be 'move it into place and it works' sort of apps.
| The mistake is that now Microsoft allows installers to run,
| Logitech does the same thing, plug in any logitech device
| and Logitech Options pops up a custom notification
| prompting you to 'continue' installation.
| michaelmrose wrote:
| It is perfectly acceptable for a device to come with either a
| printed url where you can get the driver or software.
|
| Also it should be if possible minimally fit for use without
| extra software even if all features aren't available.
|
| There is no way any of this should ever happen automatically.
| People installed custom hardware for windows in the year 2000
| and it worked fine then.
| agumonkey wrote:
| yeah it's shared, MS was rumored to have a very strong and
| deep (haskell based long ago IIRC) driver testing system ..
| it's odd something that big escaped the net.
| jandrese wrote:
| > Third party devices do need automatic driver install of
| some form.
|
| This is a mouse. It works perfectly fine as a USB HID device.
| The software install is to unlock optional features on the
| device, and that can be done after the user has authenticated
| to the host and gone through a security elevation prompt.
|
| In fact there are precious few third party devices without a
| usable built-in driver that absolutely need to be available
| before the user had logged in. I can't think of any.
| IncRnd wrote:
| > The software install is to unlock optional features on
| the device, and that can be done after the user has
| authenticated to the host and gone through a security
| elevation prompt.
|
| That's not true. It may help you to watch the video.
|
| The user was authenticated as a regular logged-in user. It
| was the driver installation that had elevated rights as
| SYSTEM, and there was no security elevation prompt.
| MichaelGroves wrote:
| > _Third party devices do need automatic driver install of
| some form._
|
| I don't see why. Particularly not if the user wouldn't have
| permissions to do it themselves. If the user doesn't have
| permission to install a driver, there is probably a good
| reason for it and the system shouldn't be automatically
| installing drivers on their behalf either.
| rodgerd wrote:
| Perhaps you long for the good old days where we carried
| around piles of floppies for our hardware, but I suspect
| you are in a small minority.
| ajross wrote:
| You or I don't. But in the market, if you can't make your
| product work with no fuss, your customers will buy someone
| else's (or flee to another platform entirely).
|
| If you accept the paradigm of third party hardware sales at
| all, then you need to have some kind of automatic secure
| install.
| MichaelGroves wrote:
| > _if you can 't make your product work with no fuss,
| your customers will buy someone else's_
|
| If Razor can't make their gamer mouse autoinstall
| drivers, then neither can Logitech. This would be an
| equal playing field.
|
| > _(or flee to another platform entirely)._
|
| If somebody can't type in their own password when
| prompted to install a driver, it probably isn't their
| computer in the first place. The computer almost
| certainly belongs to their school or employer, or at
| least another family member, and I think any of those
| would rarely be receptive to _" Please replace your dell
| with a macbook because the turbo button on my gamer mouse
| doesn't work."_
|
| Furthermore, the gamer mouse will have basic
| functionality without the razor driver anyway, and from
| my experience I doubt most clueless computer users would
| notice the difference. If they can "click the internet
| button and the google shows up", then the mouse is
| working as far as most users of this sort are concerned.
| madars wrote:
| And the great thing is you don't even need Razer device to
| exploit this! You can just any Linux device, e.g. a phone
| running LineageOS as in this PoC
| https://twitter.com/an0n_r0/status/1429386474902917124
| https://gist.github.com/tothi/3cdec3aca80e08a406afe695d54489...
| schoolornot wrote:
| A 3rd party driver's capabilities should be scoped to whatever
| type of component it's for and in this case a mouse driver
| should only be allowed to do mouse things.
|
| OAuth for Windows, I rest my case.
| nolok wrote:
| > Windows should not install random drivers from the Internet
| when a non-admin user is logged in.
|
| In a perfect world, or at least a tech user world, sure. But
| there was a compromise to make, either this (and that behavior
| can be disabled), or user stayed on admin account at all time.
| Which was the norm for windows since forever. Even on vista
| people disabled UAC.
|
| From that point of view this is still the more secure outcome,
| at least the admin hatch is only broken through sometimes,
| instead of always.
|
| Not saying this shouldn't be improved, but if you look not only
| at the end result but also at the path to get there, it does
| make some sense.
| jnwatson wrote:
| And then you need to call an admin to plug in a mouse. That's
| not really practical for a lot of organizations.
| jefft255 wrote:
| All (I hope) gaming mice with fancy drivers will also just
| work fine without them.
| ThePadawan wrote:
| That's already the case in more secure environments (company-
| provided devices plugged into internal USB ports - all other
| ports filled with sealant).
| gruez wrote:
| That's probably more to prevent data exfiltration. If you
| don't want random drivers being downloaded you can more
| reliably prevent it using group policy.
| OJFord wrote:
| Oh _that 's_ why they did that! I'd forgotten until your
| comment, but I remember thinking that was odd on an
| internship. Didn't occur to me that it was to prevent there
| being usable ports (and nor did I try to plug in any car
| park devices, like a good intern!).
|
| My work was only confidential (and that only by default)
| but it was definitely interesting to be an in environment
| with secret sauce about, and processes for handling it.
| (Fire procedure _not_ being drop everything and exit the
| building, for one.)
| andix wrote:
| There are generic mouse drivers.
| mhh__ wrote:
| Microsoft seem to be fiddling around with eBPF, would be nice
| to see verified driver bytecode for simple stuff.
| toastal wrote:
| Razer, the same company where installing Linux voids the warranty
| and BIOS and firmware upgrades need to be installed from Windows
| 10 just so you can have a black and green GUI.
| [deleted]
| kodah wrote:
| If you're looking for a good keyboard I recommend KeyChron. I
| have used their mechanical keyboards (K4) for gaming and they
| feel great while I use their slim optical keyboard (K3) for
| software and general use. Both keyboards are 1/2 to 1/3 of the
| cost of the mainstream, brand name equivalents and, IMHO, double
| the quality.
|
| Razer makes a lot of junk. I saw a headset stand with plastic and
| RGB. I don't know why someone would waste money or a bus port on
| a 5 dollar part with lights. That said, I do own one of their
| cameras and it's incredible quality. Corsair and Steel Series are
| usually my go to's.
| hughes wrote:
| > The owner of this website (www.bleepingcomputer.com) has banned
| your IP address
|
| I don't know what I did to deserve this, but I guess I'll
| continue my morning without reading this article?
| cube00 wrote:
| They're still on IPv4 and chances are your ISP has you on CG-
| NAT.
| lwhsiao wrote:
| https://outline.com/zj2nHR
| blibble wrote:
| it always wound me up that the SteelSeries 900mb bullshit
| keyboard bloatware somehow downloaded itself and popped up on a
| brand new clean Windows install
|
| (even disconnecting the machine from the internet first and
| disabling the various automatic driver downloads in GPO wasn't
| enough to stop it...)
| bellyfullofbac wrote:
| There must be a USB gadget where you can just set any USB device
| ID to report to the host, so any infiltrator not wishing to give
| Razer money can just copy one of their USB IDs and plug the "yes
| I'm a Razer USB device" into a USB port.
| nimbius wrote:
| https://blog.adafruit.com/2017/11/07/generate-usb-descriptor...
|
| there ya go.
| c7DJTLrn wrote:
| So err... easy root access to any Windows 10 machine until
| this is fixed?
| bellyfullofbac wrote:
| It's probably possible to disable auto-installation of
| drivers, or even disable USB via software...
| bellyfullofbac wrote:
| I visited the article's linked tweet and the author's
| retweeted a product mention called OMG cable, that can do
| this (a product that looks like a normal USB cable but has
| things like okeylogging capabilities)
| sp332 wrote:
| Someone added a payload for Bash Bunny here
| https://twitter.com/hak5darren/status/1429463473700888577
| jnwatson wrote:
| Yep. All it takes is to find a vulnerability in any USB device
| driver at all, and you have an effective evil maid attack.
| cjbprime wrote:
| You can configure an Android phone to use arbitrary
| device/product IDs like this.
___________________________________________________________________
(page generated 2021-08-23 23:02 UTC)