Singapore computer peripherals manufacturer Razer was reported to have a zero-day vulnerability earlier this week. Its Razer Synapse software that is used by over 100 million users worldwide, was allowing users to gain full control over the system, becoming a Windows 10 admin through the SYSTEM privileges on a Windows device in just 2 minutes.
Security and usability are frequently adversaries. For a good user experience, the Windows operating system runs installer programs when you plug in a new piece of hardware, like a keyboard or a mouse. In this instance, the problem was that the Razer installer program wasn’t sufficiently restrictive in its file dialog, allowing a user to achieve system privileges. This means that an attacker with a regular user account can easily escalate privileges simply by plugging in a Razer device.
This is not an attack that can be executed over the network. An attacker would need physical access to the victim computer and would need to be already logged in as a regular user. While the details of the exploit and how it could be prevented are important, the most valuable thing to learn is more about building relationships.
The researcher jonhat publicly revealed the vulnerability after failing to get a response from Razer. Since the public disclosure, Razer has acknowledged the bug and even offered to reward jonhat with a bounty. Other device manufacturers should take note, as many other driver installation programs are likely to have the same type of vulnerability.
For any organisation, having a clearly marked place where security concerns can be submitted, and responding to submission in a timely and courteous manner, is a critical but often overlooked component of cybersecurity.