Update 8/23: A Razer spokesperson contacted Tom's Guide and released the following statement: We have become aware of a situation where our software, in a very specific use case, provides broader access to the user's machine during the installation process.
"We have investigated this issue and are currently making changes to our installation application to limit this use case and will be releasing an updated version shortly. Using our software (including the installation application) will not allow unauthorized third parties to access your machine.
"We are committed to ensuring the digital safety and security of all our systems and services, and if you encounter any potential negligence, we encourage you to report them through our bug bounty service, Inspectiv:https://app.inspectiv.com/#/sign-up."
ORIGINAL: Razer makes some excellent gaming mice, from the versatile Razer DeathAdder V2 to the smaller Razer Orochi V2. But while the peripherals themselves are unquestionable, the software can leave big holes in your PC's defenses. A security researcher recently discovered that it is possible to trick the Razer Synapse software into thinking it has full Windows 10 administrative privileges. The bad news is that there is no fix yet, but the good news is that the risk to most users seems minimal.
The information comes from Windows enthusiast site MSPoweruser, which reports on a Twitter thread by security researcher "jonhat." In a short video, jonhat demonstrates a privilege escalation flaw inherent in Razer mice. When exploited, this flaw allows a malicious person to access a Windows 10 PC as an administrator rather than as a restricted user. Once this flaw is exploited, it is possible to steal files or install malware.
Before we get into the details of how the vulnerability works, there are two important pieces of information to remember. First, Razer has not yet prepared a patch for this flaw. The company frequently patches its Synapse software, so we can expect an update in the near future. Until then, however, users will have to protect their machines themselves.
So, secondly, this flaw is relatively impractical to exploit in everyday situations: to gain administrative access with a Razer mouse, the malicious person would need physical access to the PC. This means that a stranger must be in your home or workplace, unsupervised, and have a Razer mouse or dongle handy. This could happen in a shared workplace, but it would take a lot of effort and coordination to pull off.
In any case, here's how the flaw works: first, a Razer mouse is connected to a Windows 10 PC; assuming Synapse is not already installed, the mouse runs an EXE called "RazerInstaller." The vulnerability lies in the fact that RazerInstaller runs as a SYSTEM, not as an individual user account.
Thus, the user can choose where to install Synapse: open Windows Explorer, run Powershell, and use the command prompt to do almost anything. Once familiar with the command prompt, users can copy files, install software, or completely wipe their PC.
Technically speaking, a Razer mouse is not necessary to reproduce this flaw; simply creating a USB drive that mimics a Razer mouse is sufficient; as long as the RazerInstaller EXE is executed from a USB drive, exploiting the rest of the vulnerability is relatively easy
Fortunately, it is possible to exploit the rest of the vulnerability.
Fortunately, Razer Synapse is automatically updated by default, so if Razer issues a patch, most users should be able to obtain it without any extra effort. Microsoft could also remove the defective driver from Windows Update and replace it with a new driver as soon as it becomes available. In the meantime, however, try to keep your PC and your Razer mouse to yourself.
Comments