Skip to main content

Device Drivers: a hidden worm threat?

One of the more interesting security articles of late, from Security Focus, discusses the potential for device drivers to be exploited, due to many lurking buffer overflow defects. The article discusses Windows and Linux as examples, although presumably any platform which depends upon many 3rd party device drivers could be subject to the same issues. Drivers that listen on a network, such as network card drivers, would of course be vulnerable to remote exploits. People tend to think of device drivers as part of "the system", and the article points out that many if not most of the drivers people use are created by 3rd parties, not by the vendor of the operating system, and typically not by the core kernel developers. The article mentions that the authors of device drivers tend to have wildly varying skill levels, and that many drivers amongst a sample inspected appear not to be properly reviewed for security implications. Of course that's too kind. My own experience has been that device drivers for hardware often appear to be an afterthought of a hardware company in most cases. The article doesn't discuss mystery drivers -- I don't know if there is an industry standard term for these things. I won't point fingers, but I've been surprised a few times by a software package that installs device drivers when the need for a device driver in the application architecture wasn't really clear. Hardware drivers for peripherals and certain root level services like VPN software make sense, given the general system architecture of most contemporary operating systems. The bottom line of course is that drivers today include plenty of buffer overflows lurking. Those which can be remotely exploited provide worm fodder, while the rest provide opportunity for local privilege escalation. Exploit chaining techniques could see worms come in through non-privileged exploits, and then up the voltage through a device driver defect. At that point of course they are free to do all the keystroke logging, email spamming, trojan downloading and rootkit installing that any other administrator level worm can do. But then, one really doesn't see all that many non-privileged remote exploits on Windows. Since the system architecture demands Administrator privileges for so many things, it virtually guarantees that a remote exploit is also fully authorized from the get go.

Technorati Tags: , , , , , , , , ,


Popular posts from this blog

Verified by Visa (Veriphied Phishing?)

If you have used a Visa card to make a purchase online lately you may have encountered a relatively new program, Verified by Visa . I've encountered it twice. The system is an interesting attempt by Visa to reduce online fraud and identity theft. It's a noble effort, but the user experience is unsettling, and the security implications are not exactly crystal clear. Here's what happened to me, both times the system was activated. I was redirected away from the domain at which I was shopping, to a URL which was: not the domain where I was shopping, not the domain of the bank that issued my card not I've been telling people for years that if anything like that happens to you, close your web browser immediately and do not under any circumstances enter any personal information into the form, because this is a sure sign of a man in the middle or phishing scam. (Never mind that all the best phishing scams now-a-days look like the actual domai…

Hacker 0x80 0wn3d by FBI (Arrested after Accidental Outing by Washington Post) [1]

What can the botmaster 0x80's impending misfortune [1] teach us about information security? Quite a bit. What the botmaster and the reporter didn't count on is a security risk known as "the aggregation problem" or "point and click aggregation". It's not surprising, as even practicing security professionals are often unaware of this problem, or vaguely aware of the concept but not the name. Information Security dictionaries online generally lack the terms, and don't mention them in their discussion of "disclosure" either. The aggregation problem happens when a series of small facts, any one of which if disclosed present a minimal security risk, combine to present a greater security risk when disclosed together. When aggregated, information from publicly available sources may accidentally disclose information that was intended to remain confidential. As it happens, an IETF glossary contains a definition of the basic term. RFC 282…

Splunk acquires Phantom Cyber

I hope it doesn't come across as too cynical, the observation that most acquisitions in the tech domain fail to produce anything useful and often as not wind up killing a promising upstart technology, even if only by accident.

I have hope for this one, though. Splunk strikes me as a likely exception. This acquisition of fresh ideas and talent might breathe new life into a solid, if somewhat staid, security company.

Splunk’s data analytics gets a security boost with $350 million acquisition of Phantom Cyber