Keyboard customization software, especially from the main keyboard brands, it’s already a bit of a racket. The majority either they are too inflated to use them daily or they ask you to sign up for an account before you can set up anything. Razer and SteelSeries offer software like this for their formations of gaming peripherals and keyboards, and now both are under fire for having exploitable zero-day vulnerabilities.
Security researcher jonhat on Twitter they said that discovered that cover one Razer peripheral in a PC with Windows 10 provides the user with the complete system privileges on this machine, despite administrator status. System privileges are effectively the highest access you can get to a Windows PC. Access is usually reserved for the owner of the laptop or computer. But in this case, anyone could theoretically go ahead, plug in a Razer mouse, and install anything they want, including malware.
BleepingComputer has tested the vulnerability to confirm it. After plugging in a Razer mouse, it took about two minutes to get the system complete privileges in Windows 10. The mouse is programmed automatically install the appropriate Razer driver and the accompanying Synapse software once connected. Synapse is what allows you to change the backlight and program the skills of a Razer. keyboard or mouse. It is also an additional opportunity for Razer to sell you the benefits of choosing your accessories, which is why the company you want the software to be installed immediately after purchase.
To for its part, Razer arrived to the original security investigator to confirm that he is currently working on a solution to address these issues. Razer also responded separately The Register: “We have investigated the issue, we are currently making changes to the installation application to limit this use case, and we will post an updated version shortly. Use of our software (including the installation application ) does not provide unauthorized third party access to the machine “.
It is a similar case for the manufacturer of gaming mice and keyboards SteelSeries, which manufactures Motor SteelSeries software to change the lighting and program macros on certain SteelSeries keyboards. This includes the Apex Pro, which is one of the best on Gizmodo mechanical gaming keyboards due to its adjustable drive. But to enable this capability, you need the software.
G / O Media may receive a commission
Ssecurity researcher Lawrence Amer we find the SteelSeries Engine software it can also be used to obtain administrative rights. It has a vulnerability similar to Razer which allows access to the command prompt in Windows 10 with full administration capability, which is only possible from connecting a SteelSeries keyboard. In an answer a BleepingComputer, Said SteelSeries is aware of the issue and that it “proactively disables the launch of the SteelSeries installer that is activated when a new SteelSeries device is connected.”
It’s not the first time he’s done it Razer has faced control for not protecting its users. Other peripheral manufacturers, such as The keyboard i Logitech, have also had security flaws within their respective software. It is frustrating for users who have no other option to customize expensive keyboards and mice. There are not many openavailable and existing source options tend to be oriented towards independent manufacturers of keyboards and peripherals.
The other problem here is that Windows allows this type of access simply by connecting a peripheral. You may have chosen a specific keyboard or mouse type for your computer, but just plugging in a device should not mean the automatic consent of software with administrative access. Razer and SteelSeries would have been better off telling you to download the software from their respective websites. At least so, there is an illusion of choice.