Just when you thought things couldn’t get much worse for Windows 10 users after a miserable few weeks of security issues from PrintNightmare through to SeriousSAM and even a potential Windows Hello facial recognition bypass, they only went and did.
A security researcher was so fed up with being ignored when reporting a shockingly simple hack that could give any user admin rights on a Windows 10 computer that he tweeted the zero-day exploit. A tweet that quickly went viral.
Annoyed security researcher discovers simple Windows 10 zero-day
I spoke with the security researcher, who only wants to be known by the Twitter handle of j0nh4t, who told me how the hack came to light. “I noticed the Razer Synapse installer was bundled with ‘driver’ installs via Windows Update,” while using the mouse, j0hn4t says, “I was annoyed by this behavior and decided to take a deeper look.” Unfortunately, what that look revealed was an issue that’s shockingly trivial to exploit.
All it took for anyone to exploit this vulnerability was to plug in a Razer mouse, or the dongle it uses, and then shift-right from the Explorer window opened by Windows Update to choose a driver location and open a PowerShell with complete SYSTEM, or admin if you prefer, rights. And it got worse as an attacker would also be able to use the hack and save a service binary that could be “hijacked for persistence” and executed before the user even logs on during the boot process.
“I think Microsoft should take a look in the mirror on how they manage ‘driver’ updates,” j0nh4t says, whilst appreciating the fine line of balancing user experience and usability involved. “Should Windows Update solely provide drivers so the device works at a minimum level and the user goes out of their way to download additional software?” the researcher says, adding that “this is a somewhat dangerous and interesting attack vector.”
I reached out to Microsoft regarding the privilege escalation issue, and a spokesperson told me, “We are aware of recent reports, and we are investigating the issue. While this issue requires physical access to a targeted device, we will take any necessary steps to help protect customers.”