Surge of killer device drivers leave no OS safe

Surge of killer device drivers leave no OS safe

Summary: News came yesterday that Linux users who used NVIDIA's drivers were in danger of being remotely exploited because a zero-day exploit code was released last week.  Just the mere act of visiting a malicious website could trigger a buffer overflow that can lead to arbitrary code execution.

SHARE:
TOPICS: Wi-Fi
82

News came yesterday that Linux users who used NVIDIA's drivers were in danger of being remotely exploited because a zero-day exploit code was released last week.  Just the mere act of visiting a malicious website could trigger a buffer overflow that can lead to arbitrary code execution.  Since the attack is on the device driver which is closely tied in to the kernel, it operates beneath the user space and does not require root privileges to completely take over the system.  Currently there are no production drivers that fix this issue so Linux users are faced with the difficult choice of running more generic drivers that lack hardware optimization or live with the risk of being rooted.

UPDATE 10/19: Reader Rokstar83 points out some other options
Fix #1: Upgrade to the newer beta drivers which according to nvidia do not have that problem.
Fix #2: Disable RenderAccel Extension until they patch the driver. You'll take a preformance hit on 2d rendering, but 3d rendering shouldn't have a problem.

These kinds of device driver flaws aren't just limited to Linux; the reality is that they have recently plagued all operating systems from FreeBSD to Linux to Windows to Mac OS X.  The most recent example is the Toshiba Bluetooth Stack flaw announced last week affecting multiple PC makers from including Dell, Sony, ASUS and anyone else using the Toshiba Bluetooth stack.  The vulnerabilities were researched and discovered by researcher David Maynor and Jon "Johnny Cache" Ellch along with Martin Herfurt, Marcel Holtmann and Adam Laurie.  Anyone affected by this flaw will have to get an updated Bluetooth stack but unfortunately it isn't as easy going to Windows Update site since you'll need to find some vendor specific updates.  Toshiba as the original equipment maker does offer this download page with updated drivers.  Anyone who doesn't update their Toshiba Bluetooth stack is vulnerable to wireless remote exploits and kernel-level code execution.

Just last month, Apple released a triplet of patches for remote exploit flaws their AirPort wireless device drivers which affected both Power PC and Intel based Macs.  Apple acknowledged the fact that issues were brought to their attention from David Maynor (of SecureWorks) and Jon Ellch which triggered an internal audit but refused to give credit to the researchers for discovering the vulnerabilities.  Macs equipped with AirPort drivers are vulnerable to wireless remote exploits and kernel-level code execution.

In August, Intel patched a critical remote exploit flaw in their wireless device drivers for Windows which affects all Centrino branded notebooks and PCs running an Intel Wi-Fi chipset.  The patched driver turned out to have memory leak problems which required a second update which can be downloaded here.  Unpatched systems with Intel's Wi-Fi chipset are vulnerable to wireless remote exploits and kernel-level code execution.  For help on installing the Intel PROSet drivers, you can follow this gallery.

Earlier this year, FreeBSD patched a critical remote exploit flaw in its net80211 Wi-Fi stack and a similar issue affected Linux and was patched as well.  Additional buffer overflow problems in the wpa_supplicant for Linux were patched last year.  Open1x which is another wireless client for Linux also had potential buffer overflows.  The list just goes on and on and these type of issues are being looked at more and more since a driver exploit has a fast track directly in to the kernel which bypasses all restricted user privileges, firewalls, antivirus, and other conventional defensive measures.  David Maynor more than a year ago while working for ISS issued this warning last year that "device drivers are filled with flaws" and it looks like he was right.

The lesson here is that no platform and no Operating System is safe from flaws in their device drivers and the attacks will continue to get worse.  Hardware makers must start taking device driver security seriously, even more so than the application vendors.  Microsoft needs to integrate driver updates in to its critical update infrastructures.  Users need to start demanding more secure and stable device drivers because it's bad enough when a shoddy device driver crashes, but getting owned because of one is unacceptable.

Topic: Wi-Fi

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

82 comments
Log in or register to join the discussion
  • This gives the F/OSS community ammunition

    You'll notice the open source driver was the one that did not have a vulnerability. Of course you can say that the closed one was much more complex and thus would have been more susceptible anyway, but if hardware vendors insist on keeping their sources closed, then they have to take full responsibility for them.

    Also I might mention that if the MS Bluetooth stack were complete in XP there would be no need for the Toshiba stack. It's not like there isn't an open spec to go by.
    Michael Kelly
    • Vista has a complete BT stack

      Windows XP bluetooth is missing headset support.
      georgeou
      • And yet

        you ask the average person off the street what they think of when they hear the word "Bluetooth", and what do they think? Headsets. And now with cheap services like SkypeIn headsets will be more in demand for the PC.

        Well, I guess until Vista comes out I'll just have to make it a habit to check the Toshiba site for updates. Thanks for the heads up though.
        Michael Kelly
        • not think it is the case

          >>you ask the average person off the street what they think of when they hear the word "Bluetooth", and what do they think? Headsets<<

          Hmm, most people I know (non technical) seem to think more of keyboards and mouses, but I do not know in general.
          markbn
  • Microsoft and driver updates

    "Microsoft needs to integrate driver updates in to its critical update infrastructures."

    I agree, but the problem there is that there will be a gap between the update from the vendor and the update made by Microsoft. Ideally the Microsoft-provided update would come one or two days after the vendor releases a fix, but it would more likely come in around a week.

    Case in point: Mozilla Firefox for Linux. Recently, Mozilla updated to 1.5.0.7. At the time of the release I was still using the previous release, which had a flaw. I had downloaded and used the update straight from Mozilla, until a week later the update notifier on my desktop told me an update to Firefox was available. It was 1.5.0.7, but packaged and tailored to my distribution. I removed the Mozilla-provided version and installed the "Debianized" version.

    Why the week-long gap? The Ubuntu developers needed to compile it, test it, and properly package it so there would be no problems.

    With Microsoft, it could get a little more complicated, since they may have to deal with a proprietary vendor that may not like someone else distributing their fixes. But in the case of open-source apps, Microsoft could easily put updates in their infrastructure, since they are generally allowed and encouraged to redistribute them. The same goes for Apple, too.
    Tony Agudo
    • I disagree...

      Driver updates have always been considered optional, and here's why: a driver update could interfere with other applications on the system. Hardware manufacturers recommend updating your drivers only if you notice problems or if newer applications or application updates require them.

      For example, I haven't touched the DirectX version on my laptop. Nothing I've had on here has required a newer version, and updating DirectX I know will require updating my graphics drivers at the minimum. But since I don't need it, I haven't downloaded it.

      In this case, though, I think nVidia will be highly recommending users to upgrade once a new release is made.
      ken_ballard@...
  • Oh Gee, just what everybody needs.

    More fuel for the Microsoft Driver Signing movement.

    nVidia should probably take a cue from the Opensource development crowd and open their drivers. I know AMD didn't really give them the shaft, but they did throw a nice monkey wrench into some plans.

    Other device manufacturers should probably take this to get onboard as well. Who really knows what the solution is though.

    Anyway, I just don't care to have to be required to get Microsoft's seal of approval to install drivers on Windows anything. Just my personal convictions.
    nucrash
    • Driver signing is for authentication

      Driver signing is for authentication and that's a good thing. You do want to be able to cryptographically verify that the drivers are from who they claim to be from and that it hasn't been altered right?

      You're not getting Microsoft's approval, you just meeting a minimum sanity check that you won't wreck the OS. With the luck I?ve had with Creative Labs drivers locking up my whole system in Vista 64 beta, I can see why certified drivers are a good thing.
      georgeou
  • AppArmor

    Where Linux is concerned, unless the driver has been linked and compiled to the kernel, it exists as a loadable module, per se.

    This affords maximum flexibility to deal with configurability at init.d runlevel.

    As such, it's academic if you have Novell AppArmor to manually select (YaST Control Panel>AppArmor>Manually Add Profile) and alter permissions of any affected modules.

    With [url=http://www.novell.com/linux/security/apparmor/]AppArmor[/url], any 'ill-behaved' process gets killed. Period. End of Story.

    OK George, thanks for the heads-up.
    D T Schmitz
  • Still selling this line of crap?

    ---Apple acknowledged the fact that issues were brought to their attention from David Maynor (of SecureWorks) and Jon Ellch which triggered an internal audit but refused to give credit to the researchers for discovering the vulnerabilities---

    Still telling more lies with no evidence to back them up George? You've never, ever, even once offered any proof that Maynor and Ellch were responsible for finding the vulnerabilities that Apple patched. Not one shred. Apple has publicly and clearly denied this. Yet you still keep hammering away in your little fantasy world. What color is the sky there George? Do you feel that, like Ronald Reagan famously said, if you repeat a lie often enough it becomes the truth?

    ---Macs equipped with AirPort drivers are vulnerable to wireless remote exploits and kernel-level code execution.---

    Really? What unpatched vulnerabilities are there in stock AirPort drivers? Be specific.
    tic swayback
    • Incorrect citation

      <i>"...like Ronald Reagan famously said, if you repeat a lie often enough it becomes the truth?"</i>

      Ronald Reagan may have said it (as have you and many others), but the phrase was reportedly coined by Josef Goebbels, Propaganda Minister for Adolph Hitler, who proclaimed (in translation from the German), "If you repeat a lie often enough, it will be accepted as truth."

      Goebbels may have "borrowed it" from an earlier propagandist, but I doubt his source was Ronald Reagan.
      cdgoldin
      • If you want to correct someone you better do it right :)

        The correct Dr. Joseph Goebbels quote is
        'Nothing is so outrageous that the number of those believing in it is not more than zero'.

        Goebbels offered the observation after having been told that some statement his propaganda ministry had come up with in order to explain away some attrocities or other wouldn't be believed by anyone.

        It is one of lifes little paradoxes that the official 'minister of lies' should be the one to coin one of lifes eternal truths. :)
        Beejaybee
    • I would give it up...

      George is an Apple basher and will never change or admit anything. He spent some time on Adrian's blog a while back and provided a search of things funny on the web about the Apple/Greenpeace nonsense. Reading some of the notes made me think I was back in grade school. I guess it passes as work at ZDnet - repeating bad info and then looking for supporting gags on the web to "prove" you are right. No balance at all in this editoral/commentary space.

      Yup - he has told the distortion of the truth so often he has that as his reality (S. Jobs could take lessons in "RDF" theory from him in this area). To bad, some of his other work may show real technical expertise and thoughtfulness. His rants on Apple limits his value in the areas he has real knowledge to offer as it makes the rest of his work suspect.
      Jim888
    • I noticed something else

      I agree with you tic by the way.

      Now on to what I noticed- (and I am not a george basher) but he was very quick to point out that Apple patched this or *nix patched that BUT he didn't point out that on the last patch day MS released 10 patches for 26 vulnerabilities and that an 11th patch for a critical flaw that was supposed to be released wasn't.
      Shelendrea
      • More on George... and on Mac...

        After 12 years and 3 consecutive Macs, I switched back to Windoze in 2003 (big difference from 3.1 to XP, lol), for a variety of reasons, mostly related to Mac just not giving me enough bang for my buck any more, and me feeling platform abandoned when OS 10 came out (I had JUST upgraded to a G4 card, and it wouldn't run the OS)... I had also been in the publishing business, but no longer was, and most of what I was and am doing now, seemed to work better, and for less money, on Windoze (the spelling is DELIBERATE).

        As for George, I read his columns only occasionally, and I'm neither a Mac NOR a Windoze advocate at this point, as both have pluses and minuses (I just like to get that little slam in with my spelling, lol). But I DO have to wonder if George keeps his job only to fulfill some sort of quota or something, as I often see grammatical errors, as well, along with either run-on sentences which make little sense or are very difficult to comprehend, or sentences/paragraphs that are so full of abbreviations and technospeak I don't think most readers have any idea what he's talking about (I know I don't).

        I've been a stead subscriber to and reader of ZDNet daily email columns since about 1998... back when most of it was just one person (can't think of his name, but he moved up, or on)...

        Nowadays, it's A LOT more people, and SEVERAL different emails each day with LOTS of articles and much more than I can read, so I have to pick and choose by title. Unfortunately for me, quite often the TITLE I choose has the name George Ou attached to it.

        ZDNet and CNet editors, I hope you're paying attention. This guy does a DISSERVICE to your entire organization!

        Jeff Hayes
        Spartanburg, SC
        Jeff Hayes
        • Mac Bashing guarantees hits!

          Mac defenders are partially responsible for this type of
          irresponsible journalism. If we didn't read it, nobody would care
          and people would quit bashing Macintosh. Dvorak is most
          famous for ludicrous statements about Macs and Mac users, but
          if it's a slow day a Mac bashing article brings in the hits. We
          shouldn't take it so seriously.

          The siding up and trash talking has gone crazy now. Every time
          one of the Anti-Virus companies spreads a bunch of FUD about
          Apple, or even worse when either Apple or Microsoft makes an
          OS update or a true sevurity update, it turns into a flame war.
          The bottom line is OSX is about one million times safer than
          Windows, and a lot more stable, too, forget about the reasons.

          The thing that gets me is now Apple, who actually let out a few
          iPods with a Windows virus on them, blames the buggy Windows
          OS and then states that they Apple should do a better job of
          securing their iPods. He could have left the Windows bash out. If
          you make hardware or software for an operating system which
          Apple does with iPods and iTunes for Windows, you should be
          just as careful as when you build a Mac with OSX that no viruses
          are included in the hardware or software. Apple might not like
          Windows much but making Windows products makes them
          money and Apple needs to take sole responsibility for the
          problem and really beef up the quality control of 3rd party
          manufacturers or else they might become another Sony.
          MacGeek2121
          • The bottom of the above post....

            demonstrates that this crazy OS bashing has gone crazy and
            even Apple is partly responsible for the insanity. George loves to
            bash Apple but he's not the only one who enjoys and fuels the
            OS wars.

            The main thing I object to is the security bashing when someone
            makes a security fix. Security fixes are good for everybody,
            including people who don't use the OS. We should applaud
            everyone who makes a security fix and not say "Microsoft just
            patched 25 problems so their OS is crap." or replace Microsoft
            with Apple or Linux.
            MacGeek2121
      • Did you notice we're talking about device driver flaws?

        It was kind of obvious.
        georgeou
        • Let me put it this way then

          Why did you not point out device driver flaws in Microsoft?
          And my post was more to the point that you do not point out flaws in Microsoft as equally as you od others. I can understand that you feel that MS is constantly bashed but this wasn't a time to try and put MS on that high pedestal.
          Shelendrea
          • Uh, what don't you link to one

            You do know that Microsoft doesn't sell a lot of hardware (other than mice and some other things) right? This is a hardware driver problem. There haven?t been any examples of killer MS Mouse drivers. If you can find one, feel free to post it.

            It's funny how you want to bash Microsoft where it doesn't even pertain to them.
            georgeou