By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

Researchers often give security vulnerabilities catchy names to help them attract more attention. Many of these monikers seem like nonsense--Heartbleed, Spectre, and Meltdown all sound more like emo bands than security flaws--but apparently the researchers at Eclypsium prefer to be a bit more direct. When the company revealed serious issues with more than 40 drivers on Saturday, it simply titled its report Screwed Drivers. (Catchy.) Eclypsium said it found severe vulnerabilities in drivers from "every major BIOS vendor" as well as the likes of Asus, Toshiba, Nvidia, Intel, AMD, and Huawei, which is pretty bad news. But worse still was the company's realization that all of the insecure drivers had been signed by valid Certificate Authorities and certified by Microsoft. Eclypsium said this means the insecure drivers can be installed "on all modern versions" of Windows despite their flaws. The company also explained that "there is currently no universal mechanism to keep a Windows machine from loading one of these known bad drivers" and that some features "specific to Windows Pro, Windows Enterprise and Windows Server may offer some protection to a subset of users." And that's only if administrators decide to use those features; otherwise, their Windows devices will allow the insecure drivers to be installed anyway. "Vulnerable or outdated system and component firmware is a common problem and a high-value target for attackers, who can use it to launch other attacks, completely brick systems, or remain on a device for years gathering data, even after the device is wiped. Lots more can be found on OUR FORUM.

 

Translate