Comments by: Jonathan Knudsen, Senior Security Strategist, Synopsys Software Integrity Group
Security and usability are frequently adversaries. For a good user experience, the Windows operating system runs installer programs when you plug in a new piece of hardware, like a keyboard or a mouse. In this instance, the problem was that the Razer installer program wasn’t sufficiently restrictive in its file dialog, allowing a user to achieve system privileges. This means that an attacker with a regular user account can easily escalate privileges simply by plugging in a Razer device.
This is not an attack that can be executed over the network. An attacker would need physical access to the victim computer and would need to be already logged in as a regular user.
While the details of the exploit and how it could be prevented are important, the most valuable thing to learn is more about building relationships.
The researcher jonhat publicly revealed the vulnerability after failing to get a response from Razer. Since the public disclosure, Razer has acknowledged the bug and even offered to reward jonhat with a bounty. Other device manufacturers should take note, as many other driver installation programs are likely to have the same type of vulnerability.
For any organisation, having a clearly marked place where security concerns can be submitted, and responding to submission in a timely and courteous manner, is a critical but often overlooked component of cybersecurity.
Comments by: Oded Vanunu, Head of Products Vulnerability Research at Check Point Software Technologies
The attack vector here require the attacker to have a physical access to the machine and plug malicious Razer device. It means that the targeted audience that it might be relevant is very limited. The only recommendation I have for admins who manage low privilege users is to block any USB/USB-C ports by software, that can eliminate this attack vector.