Surge of killer device drivers leave no OS safe
News came yesterday that Linux users who used NVIDIA's drivers were in danger of being remotely exploited because a zero-day exploit code was released last week. Just the mere act of visiting a malicious website could trigger a buffer overflow that can lead to arbitrary code execution. Since the attack is on the device driver which is closely tied in to the kernel, it operates beneath the user space and does not require root privileges to completely take over the system. Currently there are no production drivers that fix this issue so Linux users are faced with the difficult choice of running more generic drivers that lack hardware optimization or live with the risk of being rooted.
UPDATE 10/19: Reader Rokstar83 points out some other options
Fix #1: Upgrade to the newer beta drivers which according to nvidia do not have that problem.
Fix #2: Disable RenderAccel Extension until they patch the driver. You'll take a preformance hit on 2d rendering, but 3d rendering shouldn't have a problem.
These kinds of device driver flaws aren't just limited to Linux; the reality is that they have recently plagued all operating systems from FreeBSD to Linux to Windows to Mac OS X. The most recent example is the Toshiba Bluetooth Stack flaw announced last week affecting multiple PC makers from including Dell, Sony, ASUS and anyone else using the Toshiba Bluetooth stack. The vulnerabilities were researched and discovered by researcher David Maynor and Jon "Johnny Cache" Ellchalong with Martin Herfurt, Marcel Holtmann and Adam Laurie. Anyone affected by this flaw will have to get an updated Bluetooth stack but unfortunately it isn't as easy going to Windows Update site since you'll need to find some vendor specific updates. Toshiba as the original equipment maker does offer this download page with updated drivers. Anyone who doesn't update their Toshiba Bluetooth stack is vulnerable to wireless remote exploits and kernel-level code execution.
Just last month, Apple released a triplet of patches for remote exploit flaws their AirPort wireless device drivers which affected both Power PC and Intel based Macs. Apple acknowledged the fact that issues were brought to their attention from David Maynor (of SecureWorks) and Jon Ellch which triggered an internal audit but refused to give credit to the researchers for discovering the vulnerabilities. Macs equipped with AirPort drivers are vulnerable to wireless remote exploits and kernel-level code execution.
In August, Intel patched a critical remote exploit flaw in their wireless device drivers for Windows which affects all Centrino branded notebooks and PCs running an Intel Wi-Fi chipset. The patched driver turned out to have memory leak problems which required a second update which can be downloaded here. Unpatched systems with Intel's Wi-Fi chipset are vulnerable to wireless remote exploits and kernel-level code execution. For help on installing the Intel PROSet drivers, you can follow this gallery.
Earlier this year, FreeBSD patched a critical remote exploit flaw in its net80211 Wi-Fi stack and a similar issue affected Linux and was patched as well. Additional buffer overflow problems in the wpa_supplicant for Linux were patched last year. Open1x which is another wireless client for Linux also had potential buffer overflows. The list just goes on and on and these type of issues are being looked at more and more since a driver exploit has a fast track directly in to the kernel which bypasses all restricted user privileges, firewalls, antivirus, and other conventional defensive measures. David Maynor more than a year ago while working for ISS issued this warning last year that "device drivers are filled with flaws" and it looks like he was right.
The lesson here is that no platform and no Operating System is safe from flaws in their device drivers and the attacks will continue to get worse. Hardware makers must start taking device driver security seriously, even more so than the application vendors. Microsoft needs to integrate driver updates in to its critical update infrastructures. Users need to start demanding more secure and stable device drivers because it's bad enough when a shoddy device driver crashes, but getting owned because of one is unacceptable.