In brief Razer is said to be working on an updated installer after it was discovered you can gain admin privileges on Windows by plugging in one of the gaming gear maker’s mice or keyboards.
In fact, inserting any USB device that declares itself a Razer mouse or keyboard will lead to an exploitable situation.
As documented late last week by a Twitter user called j0nh4t, if you plug into a Windows 10 or 11 machine a device identified as a Razer mouse or keyboard, Microsoft’s OS will automatically download and run Razer’s installer for the manufacturer’s Synapse software, which can be used to configure the peripheral.
During the installation process, which runs at the SYSTEM level, you can spawn from an Explorer window a Powershell terminal that runs with these high-level privileges. Thus, you can gain local admin access on a machine if you can login in somehow and plug in a gadget – useful for penetration testing, at least. It is also possible to tell the installer to use a user-controlled folder to store an executable that is run on every boot, which can be hijacked by a rogue user.
The bug finder said they had no luck in getting Razer’s attention when trying to report these flaws, and after they put a zero-day exploit for the Powershell hole on Twitter, the manufacturer got in touch and offered a vulnerability bounty. A new version of the installer to address these problems is being prepared for release, we’re told.
We wonder how many Windows installers have these same issues. The heart of the problem may be that Windows runs these installers automatically at the SYSTEM level, bypassing things like UAC.
In other words, the installers aren’t doing anything wrong, per se, and are working as expected – it’s that the OS is automatically running them with high privileges without taking into consideration the logged-in local user and their scope of access. There may be no easy fix.
A spokesperson for Razer told us today: “We were made aware of a situation in which our software, in a very specific use case, provides a user with broader access to their machine during the installation process.
“We have investigated the issue, are currently making changes to the installation application to limit this use case, and will release an updated version shortly. The use of our software (including the installation application) does not provide unauthorized third-party access to the machine.”
The spokesperson added that Razer runs a bug bounty program here.
Huge web flood revealed
Cloudflare says it has absorbed the largest DDoS attack in its history – three times larger than anything it has seen before.
The attackers were going after a financial biz on Cloudflare’s CDN, and fired an opening salvo of 330 million requests within seconds from a botnet of compromised machines. This continued into a sustained flood running at 17.2 million requests-per-second.
“This 17.2 million RPS attack is the largest HTTP DDoS attack that Cloudflare has ever seen to date and almost three times the size of any other reported HTTP DDoS attack,” said Omer Yoachimik of Cloudflare’s DDoS Protection Service.
“This specific botnet, however, has been seen at least twice over the past few weeks. Just last week it also targeted a different Cloudflare customer, a hosting provider, with an HTTP DDoS attack that peaked just below eight million RPS.”
Cloudflare reckons the botnet used in the web tsunami was only 20,000 bots strong, spread out over 125 countries. Its denial-of-service daemon (dosd) spotted the attack early, it said, and mitigated the effects of the HTTP request deluge.
US census org’s patch delay and intrusion detailed
An in-depth report [PDF] into a cyber-attack against the US Census Bureau’s servers last year has been published by the Office of Inspector General for the US Department of Commerce.
On January 11, 2020 a number of servers used by staff to remotely check on production, development, and lab networks were compromised by miscreants using a publicly available exploit. The vendor behind the software used for this remote access had released a patch on December 17, 2019 for the critical vulnerability targeted by the intruders, and this was not applied to the bureau’s systems.
The bureau also did not immediately pick up on the intrusion, did not keep sufficient logs, did not hold a “lessons learned” session in the aftermath, and operated servers no longer supported by their supplier, the auditors said. By some miracle, we’re told, only staff accounts were tampered with, and the results of the 2020 Census were untouched.
“The exploit was partially successful, in that the attacker modified user account data on the systems to prepare for remote code execution,” the report said. “However, the attacker’s attempts to maintain access to the system by creating a backdoor into the affected servers were unsuccessful.”
The watchdog has set out a number of steps for the bureau – already regarded as a cyber-security tire fire – to take, including vulnerability scanning and procedures to alert IT staff when relevant patches are released.
Pearson fined $1m for not educating investors on security failure
Pearson will pay out $1m to settle claims it misled investors about the scale of a 2018 network intrusion.
According to America’s financial watchdog, the SEC, which announced the settlement, “Pearson made misleading statements and omissions about the 2018 data breach involving the theft of student data and administrator log-in credentials of 13,000 school, district and university customer accounts.”
“Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections,” said Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit. “As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”
The British educational publisher agreed to pay a million-dollar penalty to the SEC, and pinky-swore not to screw up like this again.
Princeton prof warns Apple over CSAM scanning – we’ve been there, don’t
The ongoing storm over Apple’s plans to scan iCloud uploads and Messenger for child sex abuse material intensified on Thursday when Princeton Professor Jonathan Meyer and PhD student Anunay Kulshrestha said they had already built such a system, and then abandoned it.
Two years ago they began researching a very similar system to Apple’s, scanning for known images and generating alerts. But after building a working prototype they realized that the implications of such a system for censorship were huge, since any file could be submitted by government officials for monitoring and surveillance of people’s activities and interests.
“We were so disturbed that we took a step we hadn’t seen before in computer-science literature: we warned against our own system design, urging further research on how to mitigate the serious downsides,” they wrote. “We’d planned to discuss paths forward at an academic conference this month.”
The boffins accused Apple of gambling with netizens’ futures by hoping that governments will not be able to wield the system for nefarious purposes. Apple has said it will not bow to demands to add non-CSAM images to its database. By the way, Apple has been scanning iCloud Mail for CSAM since 2019.
So, about that …
According to a Citizen Lab report this month, you can already see the effect of Apple’s censorship in China spreading beyond the Middle Kingdom. Apple complies with Beijing’s demands and censors some content in China, saying it complies with the laws in the countries it operates. Citizen Lab found that the same censorship policies were emerging elsewhere.
“We found that part of Apple’s mainland China political censorship bleeds into both Hong Kong and Taiwan,” the team’s report stated. “Much of this censorship exceeds Apple’s legal obligations in Hong Kong, and we are aware of no legal justification for the political censorship of content in Taiwan.”
How reassuring. ®