Intel gives its PMx drivers a tweak to squash a vulnerability in them
INTEL HAS RELEASED an updated version of its PMx driver after it was revealed to be vulnerable to exploits that gave hackers “near-omnipotent control” over a targeted device.
Researchers from firmware security firm Eclypsium discovered the vulnerability in PMx after a deep dive into the state of security with a host of drivers and their interaction with the Windows kernel. Their research was disclosed in August, but the vulnerability was kept quiet as Intel worked to fix it.
The issue stems from how the driver, and indeed the other drivers detailed in its research back in August, interact with the Windows kernel and underlying hardware and firmware.
In the case of the PMx driver, Eclypsium’s security smart folks noted it was “incredibly capable” in that it could read and write physical memory, read and write to debug registers, and arbitrarily gain access to I/O and PCI, among other highly-privileged hardware and firmware-level access.
Normally, even if a person has administrator access to a Windows machine, various security protocols and measures restrict what they can do and access at a firmware and kernel level. However, the depth of access the Intel PMx driver could have allowed a compromised administrator account to effectively gain huge levels of control of a computer.
Essentially, a hacker operating in the least privileged user space of a Windows device could have exploited the PMx driver and other vulnerable drivers with their high-level access to the Windows kernel to bring malware to bear in parts of a Windows system where the most privileged access is needed.
Such exploitable drivers could have given attackers carte blanche to wreak havoc on a machine, allowing them to steal or damage the system.
Intel has plugged the hole in its PMx driver, as have the vendors of other affected drivers. But Eclypsium said its research is ongoing, and thus we would expect other driver vulnerabilities to be flagged in the near future. It also had the following worrying message:
“There is no universally applicable way to prevent Windows from loading any of the bad drivers that have been identified thus far. Going forward, Microsoft is addressing the issue through their HVCI (Hypervisor-protected Code Integrity) technology. This will allow Microsoft to act as their own virtual firewall to protect the operating system kernel,” said Eclypsium’s researchers.
“However this approach will not be available universally for some time. HVCI requires a 7th generation or newer processor, new processor features such as mode-based execution control, and is not supported by many 3rd party drivers. As a result, many devices in use today will not be able to enable HVCI and will not be protected.
“The only universally available option possible today is to block or blacklist old, known-bad drivers.”
Not something a tired IT administrator would want to hear. µ
This is a syndicated post. Read the original post at Source link .