Device Drivers Filled with Flaws, Pose Risk

Gary W. Longsine writes "Security Focus describes device drivers as an untapped source of buffer overflows, posing substantial risk not typically considered as part of a standard risk assessment. The security risks of device drivers on both Windows and Linux, including network (remotely exploitable) and hardware drivers (typically only locally exploitable) are discussed in the article. I've noticed that software you wouldn't expect sometimes installs a device driver component. I can understand this as a component of an antivirus or host based firewall, but it seems to be an oddly common design pattern on Windows, which clearly poses substantial risk."

Design pattern

[davidstrauss]

oddly common design pattern on Windows

Could someone give me examples of this? Most software I use doesn't do this. It seems more of a design pattern for DRM stuff (like DVD audio).

Re:Design pattern

Games do this often for their copy-protection methods. The most common is Starforce, which installs a driver without which the program will not run.

Re:Design pattern

[nmb3000]

Could someone give me examples of this?

I was thinking the same thing. Obviously some stuff will have a driver it installs because it is required for whatever it's doing. Examples of valid ones roll off easy enough: Daemon Tools (ISO emulation), UltraMon (multi-monitor manager), hardware-heavy optical disk apps like Alcohol 120% and Blindwrite, OpenVPN.

I think often times the reasons behind device driver usage are linked very closely to efficiency and ease of implementation. If you need close hardware access and want to be fast and efficient doing it then a device driver is probably best. Even if it were possible doing it with some sort of hook and DLL system, it's going to be a lot slower and more of a kludge.

I figure that while device drivers are another part of software that needs to be analyzed for security flaws, they really aren't that special. One of the simplest security flaws, a buffer overflow, can still be found in who knows how many programs? The fact that a driver runs near the kernel is something to watch for, but methods like DLL injection have enabled people to get kernel-privileged access before on Windows (remember getAdmin for Win2000?).

Re:Design pattern

[Jeff+DeMaagd]

So basically device drivers are used to get around the intentional design limitations? Abstracting user software from kernel software is a good idea, and getting around it doesn't sound like a good idea. Sure, you get performance but you lose speed.

Re:Design pattern

[moonbender]

Look for yourself, if you are on Windows anyway. Open the device manager, check "show hidden devices" in the view menu and look at the new devices that appear. Especially the ones in the "Non-Plug and Play Drivers" category. Some examples from my system include "Creative AC3 software decoder" (along with half a dozen more drivers the Audigy installs), "StyleXP helper" (Window skinning), "mnmdd" (no clue). And this is a fairly clean system, apart from Style XP maybe. Most of these would make sense as services, but device drivers? Not that there is a shortage of services on a typical Win XP system!

Re:Design pattern

[Jeff+DeMaagd]

Oops, I mean, sure you get performance but you stand to lose system stability, and apparently, security.

Re:Design pattern

I knew we shouldn't have used the Fscked Driver Pattern for our design!

Re:Design pattern

At least in the case of Linux, some things get implemented in the kernel not just for speed but because that's the only central authority and common distribution in Linuxland. The userland is mass choas -- If someone writes something (like a virtual filesystem) that runs between the kernel and gnome/kde, nobody will ever use it.

Re:Design pattern

[Tim+Browse]

My favourite part of Starforce is that it installs a device driver without asking the user first - you run the game, it silently installs a device driver.

Nice.

Re:Design pattern

Are you sure those are all supervisor-mode device drivers?

Re:Design pattern

[Afrosheen]

Yeah but the dead giveaway with Starforce is that it requires a reboot after you install the game. We all know why Windows needs to reboot post-install: drivers.

Well, actually, Windows will reboot post install for a number of reasons, but for a game using Starforce, it makes sense.

Re:Design pattern

[Anon+E.+Muss]

Wrong! Installing drivers is not a major cause of reboots on Windows. The only time you absolutely need to reboot is if you update the boot disk driver. There is no different than Linux. Any properly written Windows driver can be installed or updated without a reboot -- if the driver writer didn't do their job, blame them, not the OS.

The real cause of most reboots are attempts to replace active user-mode executables (EXE or DLL). Executable files cannot be replaced while they're running. This makes it practically impossible to update system DLL's without a reboot, since they're going to running in some process all the time.

Re:Design pattern

[Anon+E.+Muss]

nmmdd is the Netmeeting Mirror Display Driver.

Re:Design pattern

[Afrosheen]

So tell NVIDIA and ATI to 'fix' their drivers, since they don't fit into your reboot logic. It's quite a bit different than Linux in this respect. I can change Nvidia drivers at will with no reboot in Linux, and that's impossible in Windows.

BTW what is a boot disk driver? Is it something that you'd use if you, say, hot swapped your boot drive from IDE to SATA? Makes no sense my friend.

Re:Design pattern

[GlassUser]

So tell NVIDIA and ATI to 'fix' their drivers, since they don't fit into your reboot logic. It's quite a bit different than Linux in this respect. I can change Nvidia drivers at will with no reboot in Linux, and that's impossible in Windows.

Funny, I just changed my laptop's nvidia drivers two days ago, and no reboot was required. Are you sure you have your facts straight?

Re:Design pattern

[Afrosheen]

You may be right, while splitting a fine hair. Maybe I was unclear.

When going from the default Windows driver to the 'real' Nvidia display drivers, there is a reboot required, no ifs ands or buts. Subsequent upgrades may not require this (as I don't constantly upgrade nvidia drivers on windows machines).

My original point still stands, installing drivers requires a Windows reboot (under certain circumstances).

Jeez, this is /., where did all these Windows defenders come from anyway?

Re:Design pattern

[GlassUser]

I've been here all along. And I consider myself more of a truth defender than a windows defender. I'll happily bash FUD for any side.

I think a reboot is required when one driver doesn't "fit" the hardware in place. I'm not sure of the specifics. But in my experience, if any driver (except for a mass storage driver on which the boot volume resides) requires a reboot, you're probably using the wrong driver, or a very poorly made "driver install utility".

So yes, I suppose your point stands, but only really if you're not using the right driver.

Re:Design pattern

[Anon+E.+Muss]

So tell NVIDIA and ATI to 'fix' their drivers, since they don't fit into your reboot logic.

You're right. Changing display drivers also requires a reboot. My mistake.

I can change Nvidia drivers at will with no reboot in Linux, and that's impossible in Windows.

Can you do it without shutting down X, and all running X applications? Is that really so different than than a reboot?

what is a boot disk driver?

It's the driver that controls the disk device containing the Windows system directory. This driver can't be unloaded because the filesystem mounted on top of it can't be unloaded (since at least one executable process will be running from it, smss.exe if nothing else).

Is it something that you'd use if you, say, hot swapped your boot drive from IDE to SATA?

That's a highly unlikely scenario. More likely is that you just want to install a newer version of the same driver.

Re:Design pattern

[TerminaMorte]

When you change graphical drivers in linux, you'll have to restart X.... which is surprisingly similar to restarting Windows.

All programs close, and you have to log back in. Unless Linux is superior in the repesct that you don't have to go through POST. ;)

In Windows, I didn't have to restart when installing my nvidia drivers.

Re:Design pattern

Rembering the last time I did systems level programming on windows ('97? nt 4.0?), we had a lot of grief getting the 'service' to start up reliably. ie. when the system boots vs. when a user logs in. Even the difference between admin and regular users.

Suggested solutions ranged from a different version of windows (management), a faster processor (sales), any type of Unix (engineering, myself and another member had already done this with 1/10 of the hardware 4 years earlier). The only thing which worked consistantly was to kludge (with appologies to ugly hacks everywhere) together a device driver.

Re:Design pattern

[Afrosheen]

"Can you do it without shutting down X, and all running X applications? Is that really so different than than a reboot?"

It's very much different than a reboot. My system keeps running, but the 'paint job' stops. You could have other processes in the background doing their job (like copying files in another shell or whatever) while you do the update. You unload the old kernel driver, load the new one, start X back up.

Re:Design pattern

[Sigma+7]

Wrong! Installing drivers is not a major cause of reboots on Windows. The only time you absolutely need to reboot is if you update the boot disk driver.

I've required post-install reboots in the following situations:
- Video device driver installations. (Win95-A also required restarting when you changed bit-depth.)
- Microsoft Age of Mythology, when it installed MS-XML on a system that did not include it previously. (Which seems to explain why it needs Admin privilages to install. System was XP.)
- Clone-CD, which needed to install a custom driver for it's CD management. (Not sure if the latest version has this problem on XP, but a previous version did require a restart.)
- Installations that need to update a file, but where that file is in use by another process. (E.g. Installing Getright 5.1 when Getright 5.0 is running - although the newest installers will attempt to shut down existing instances of Getright.)
- One version of Norton Anti-Virus needed a restart to get working on WinME. (Not sure if it's required to get the driver installed, but at least one restart was required in WinME if you didn't apply the update that fixed a known crash.)
- Rude installers that simply shut down the computer without asking (or giving an option otherwise). Best way to work around this using the Group Policy editor and require typing in a reason for reboot - if this isn't available, open up Notepad and type in something. As a last resort, you can use Task Manager (or Process Explorer) to kill the process that's about to do the restart.

Re:Design pattern

[Taladar]

As there are lots of applications for almost any application domain imaginable on Linux that do not require X there is a real difference between a reboot and a shutdown of X. This is especially true for servers since 99.9% of server apps don't require X to run/keep running on Linux.

Re:Design pattern

[Taladar]

You should have a look at these little things called "daemons" and "console programs inside a screen session". They don't seem to be disturbed at all by restarting X or logging out.

Re:Design pattern

[DrSkwid]

All programs close

Not true, in fact you could write your X applications to keep executing and re-attach once the X server was running again if you felt the need.

My music runs as a background process for this very reason. If X goes down I don't want it to take my music down with it.

Re:Design pattern

[TerminaMorte]

All programs that an average user would be activily using close, and you know damn well that's what I meant.

So unless you're trying to point out that apache wouldn't be affected like this (and I'm sure that all desktop users have such things running), my point stands.

I'm talking about the graphical UI, not something on tty1.

Re:Design pattern

How about VMWare on Windows? By God, it creates local accounts on a system and a huge list of device drivers. But I for one trust the local accounts that I have no friggin clue as to the password.

Re:Design pattern

[Lost+Race]

] strings mnmdd.sys

VS_VERSION_INFO
StringFileInfo
0000 04B0
CompanyName
Microsoft Corporation
FileDescription
Frame buffer simulator
FileVersion
5.00.2134.1
InternalName
videosim.sys
LegalCopyright
Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename
videosim.sys
Product Name
Microsoft(R) Windows (R) 2000 Operating System
ProductVersion
5.00.2134.1
VarFileInfo
Translation

Re:Design pattern

[JohnFluxx]

When a program wants to read or overwrite a file that is open by another program, windows locks the file preventing this.

To get round this the solutions I found on google are to write your own file system device driver. Many such drivers are available to buy.

Re:Design pattern

[C0vardeAn0nim0]

this kind of behavior dates back to the PC/XT era when some clever lotus programers used to bypass DOS for a gain in performance.

i dont blame the 3rd party programers here. i blame MS shody work that forces them to this.

see previous examples of "disk intensive" software that installs drivers to compensate for windows lack of performance. you dont see schillys cdrecord package installing drivers in linux, BSD, Solaris, etc. to work properly. and i can still listen to music and surf the web while it burns a CD. and is not that i have some sort of ubermachine. i could do this in a K6 400MHz box...

burning a cd, browse the web and listen to music in a K6 400MHz running windows...

microsoft improved lots of things in the last years, but it _still_ lags behind.

Re:Design pattern

[Mattintosh]

Oh noes! I am deathly afraid of a hidden device driver called "Null" on my machine! I wish I could just do like those Linux guys do and send it to /dev/null!

Oh, wait... :)

Re:Design pattern

buffer overflow a HDD controller driver, and you potentially have 100% unprotected access to the harddrive. buffer overflow a chipset controller, and you potentially have the access rights to completely remove all memory protections on the system.

yes, drivers ARE much more dangerous then any application could have ever have dreamed to be. i would rank driver exploits right up there with kernal exploits.

Re:Design pattern

[davidstrauss]

Hence my suggestion that it's often DRM.

Re:Design pattern

Exactly, if you run a (bunch of) server(s) you probably won't run X, and if you do you're not going to upgrade the graphics drivers unless it's a distro-released security fix. "3 more OpenGL FPS on teh MySQL server is teh win!!!1111" Nah...

For the absolute majority of home desktop Linux users who run a graphical desktop environment and who also care about gfx driver updates, I'd say that there's no practical difference beteen restarting X and restarting Windows.

Then again, going by what's posted on Slashdot, many of my fellow desktop Linux users seem to give a shit about their precious uptime, for some strange reason...

Re:Design pattern

we had a lot of grief getting the 'service' to start up reliably.

You must have been working with Windows 9X. NT was designed from the start with the concept of services, and has always been 100% reliable in managing them. I prefer to think of 9X as a bad dream, which luckily I woke up from as soon as NT 4.0 was released.

Re:Design pattern

[Anon+E.+Muss]

When a program wants to read or overwrite a file that is open by another program, windows locks the file preventing this.

Just to be 100% technically accurate... Windows itself holds executables open while they're running; the handling of data files is entirely up to applications. An app can allow other processes to open the file for reading, for writing, or not at all. Don't blame the OS if an app asks for exclusive access to the file.

One hardware driver one from way back.

Sending a modem user a ping with +++ATH0 embedded. As soon as it was returned, those modems with defective modem drivers that didn't filter anything would hang up. Quick simple DoS.

Surprisingly it still works on some systems more than 18 years after I first tried it.

Re:One hardware driver one from way back.

How exaclty does one "embed" something in a ping cmd, and what does +++ATH0 mean?

Re:One hardware driver one from way back.

[erlenic]

Some ping programs let you specify the payload in the ping packet. It's usually just used to bloat the packet for MTU testing.

+++ATH0 is the modem command to hangup.

Re:One hardware driver one from way back.

[rpozz]

On Linux/UNIX, you simply construct a custom ICMP packet (similar to a ping packet) using a language like C. I imagine a driver had to be used in Windows due to some issues with doing this with WinSock.

+++ATH0 is the command you send to the modem to make it hang up.

Re:One hardware driver one from way back.

[corsec67]

+++ is the modem comand to break out of the data mode and go into command mode
ATHO means "hang up"
so, "+++ATH0" being sent from the computer means hang this modem up now!

to embed that into a ping, use the "ping -f data" command, with data being +++ATH0 in aschii/hex

Re:One hardware driver one from way back.

> How exaclty does one "embed" something in a ping cmd, and
> what does +++ATH0 mean?

ping -p 2b2b2b415448300d

+++ puts a modem into command mode
AT tells it to come to attention
H0 tells it to change hook status to 0 (which means hangup)

when this is sent from a machine connected to a modem that's vulnerable, it will tell the modem to execute those commands. The return ping is what does this.

Re:One hardware driver one from way back.

[kernelfoobar]

You can embed a pattern of characters in ping like so(at least in linux):
ping -p 'ATH0+++' 127.0.0.1

as for ATH0+++, it tells the modem to hangup basically. If the right conditions are right (OS, drivers and hardware) the pattern string is passed as is thru the modem and evaluated. Google for >modem AT commands.

Re:One hardware driver one from way back.

[AndroidCat]

That should only work with modems that took the cheap route. +++ is supposed to be wrapped with a guard delay that would prevent that. (There's probably some vulture lawyers still charging licence fees for Hayes' patent on that.)

Re:One hardware driver one from way back.

[BurntNickel]

On the modems that I used it was required that there be a one second pause between the +++ and any following characters to get to command mode so I've never seen this actually work.

Re:One hardware driver one from way back.

[kernelfoobar]

sorry, it's +++ATH0 not ATH0+++ as probably by now others posters have replied.

Re:One hardware driver one from way back.

[kernelfoobar]

I actually have done this and it does work on some modems, pretty cool actually. Think: someone might try to view comments and keep getting disconnected right at this moment.

Re:One hardware driver one from way back.

[Myria]

REAL modem drivers would use ATS2=255, which disables the +++ string. Then, to hang up, you drop the Terminal Ready (TR) bit of the serial port. This way, there is no string that can hang up the modem.

Melissa

Re:One hardware driver one from way back.

[codegen]

That's sort of the point of the ancestor post. Some drivers do not do that and are succeptible to the attack.

Re:One hardware driver one from way back.

[BurntNickel]

That's quite an amusing thought.

I used to see the sequence in people .signature files some time ago. I gess that got a kick out of diconnecting people reading email or usenet.

Re:One hardware driver one from way back.

someone might try to view comments and keep getting disconnected right at this moment.

How would that happen? The command has to be fed to the modem from the local system. If they type it into a reply and post it, then I could see that happening, but not just from reading. This is why the original poster said that it should be in a ping command -- the reply causes the hangup, not the ping.

Of course, there's also the point that someone else made that the modem is only supposed to enter command mode if the +++ followed (and preceeded, I think) by one second of guard time.

Re:One hardware driver one from way back.

All of these replies and no one remembers doind this to hapless IRC users?

/ctcp ping +++ATH0

You soon learnt the proper initialisation string to stop your modem hanging up. Something to do with setting the proper mask in one of the S registers, if I remember correctly.

Re:One hardware driver one from way back.

[pomo+monster]

Yeah, there was a Slashdot story about this a while back. Good reading.

Re:One hardware driver one from way back.

[Anon+E.+Muss]

The delay after +++ was patented by Hayes. After the "Hayes AT standard" was firmly established in the market, Hayes started suing other modem manufacturers for patent infringement. Many decided to remove the delay requirement rather than pay royalties. There are a lot of modems that will hang up if they receive "+++ATH0\r" in a continuous stream.

Re:One hardware driver one from way back.

[pugnatious]

err, excuse me, since when do modems have "drivers"?

Re:One hardware driver one from way back.

[MSZ]

Some modem makers have licensed Hayes patent and they require 1 second pause between +++ and ATH0, so the trick won't work. Many others decided to skip this patent and instead check for valid command after +++.

A number of ISPs had this kind of modems, so some fucktards used to put this in their sigs. (oh well for typical luser it's enough to put "press alt-f4 for more details" in the sig ;-))

There was even an attempt of using complex commands to make the modem dial back. That didn't work, unfortunately...

Re:One hardware driver one from way back.

[zerbot]

People put it in .sigs in order to nail the kinds of people who didn't trim before replying, including trimming the .sig.

Re:One hardware driver one from way back.

[AndroidCat]

Some modems would only accept the +++ string if it was on the outgoing side (to the phone line) so that the far end couldn't monkey with commands and settings. BBS operators still had to worry about echoing +++ back out and some software would add a nul in the middle. I usually turned it off completely and used DTR to drop the connection.

Re:One hardware driver one from way back.

sorry about the moderation dude.

its true, mods are retarded.

Re:One hardware driver one from way back.

[ChadN]

Everytime I try to read your comment, my modem disconne...LOST CARRIER

Re:One hardware driver one from way back.

[Tim+C]

Flamebait my arse.

Come off it mods, that was funny! What harm does it do? What's up, get caught out and taking your embarrassment out on the poster?

Re:One hardware driver one from way back.

[DickBreath]

since when do modems have "drivers"?

Since Windows.

Re:One hardware driver one from way back.

[packetl0ss]

Since the time that they felt like cutting costs in modems by reducing the actual features they provide in the hardware itself and emulating those features in cheaper software ("drivers") that use the system's CPU power for them, such as what they did back during the "RPI" modem days.

"Rockwell Protocol Interface (RPI(TM)) is a technology that allows error correction and data compression (ECC) technologies to be performed in the PC host computer, rather than in the modem hardware, as has been done traditionally." ... "RPI lowers the cost of traditional modem hardware by redistributing the Error Correction and Data Compression (ECC) processing load from the modem to the host computer, eliminating the need for external memories (RAM and EPROM) and allowing lower cost controllers to be used. This drive to lower the component cost was strongly driven by modem vendors desiring to offer the lowest possible end user price."

Re:One hardware driver one from way back.

[packetl0ss]

There are a lot of modems that will hang up if they receive "+++ATH0\r" in a continuous stream.

If those modems disconnect from that, does that mean one could also tack on ATDT911 after that +++ATH0 and make someone's vulnerable modem dial 911 after disconnecting from a single ping packet?

Re:One hardware driver one from way back.

Since modems have been used, moron.

Re:One hardware driver one from way back.

Since modems have been used, moron.

Complete and utter bullshit. If you were older than twelve, you'd know that is not true.

Easy solution

[product+byproduct]

Code the device drivers in Rexx.

Re:Easy solution

[maxwell+demon]

Not only device drivers! :-)

For who is that news ?

[alexhs]

Who was saying that user-mode device drivers, as done in true micro-kernels like QNX, was an inefficient design, again ?

Re:For who is that news ?

[Ezdaloth]

And how will a that help? A device driver is still a device driver, and as such has (and often needs) full access to you computers hardware. So a flaw in one such user-mode driver can still make your whole system vulnerable.

Re:For who is that news ?

[alexhs]

A device driver is still a device driver, and as such has (and often needs) full access to you computers hardware.

No, it only needs full access to the device it handles. Therefore, if your sound card driver goes berserk, you just need to restart it, it can't possibly break something else. If it needs access to other components (say you need access to timers to sample audio), you access those other components like any other application does, sending a message to the timer driver.

Re:For who is that news ?

[Ezdaloth]

As far as i know there is no way to restrict a driver from accessing hardware registers it shouldn't access. (some CPU's can .. but most OS's don't use the technique) So i think in case of an exploit the driver can still screw the whole system.

Re:For who is that news ?

[alexhs]

As far as i know there is no way to restrict a driver from accessing hardware registers it shouldn't access.

Huh ? What registers ? That's what context-switch is about : program "owns" all CPU registers while it runs, but it doesn't have access to the saved registers (context) of other tasks.

Device driver is just another user app (well, dynamic library is more accurate) that happens to access some piece of hardware directly.

Re:For who is that news ?

[oxygene2k2]

(talking x86 here, it's usually quite similar on other arches)

by default the inb/outb family of instructions is privileged - so you need supervisor/ring0 (ie. kernelmode) to execute them and there's a trap otherwise (which delegates to kernel, which can _check_ your arguments against some tables and grant your call, or not)

unfortunately in OSS unices there's a workaround in that root (uid 0) gets those calls for free to make xfree86 (and derivatives) happy.
this workaround doesn't check if you're actually writing to the video card (so reprogramming the IDE controller would work, if you're fast enough to fit your data between two attempts of the kernel to manage IDE)

Re:For who is that news ?

[anti-NAT]

I think the parent is referring to the IO ports (sometimes called registers) on the IO bus, not the CPU registers.

there are many examples ...

[tronicum]

Most direct disc access (antivirus) or "personal firewall" products install theirself as driver between the physical and logical layer.

This leads to many problems like stuff found recently in almost all Computer Associates eTrust Antivirus products. Because Zonealarm licenced the same software, they were affected, too.

This is just one example of many :

• McAfee
• Trend Micro
• F-Secure
• Symantec

So many well known enterprice Antivurs/Firewall companys create drivers that lead to security flaws and it is not limited to Windows....

Re:there are many examples ...

[AndroidCat]

Note that this applies to scanning streams for virus content, not the basic port blocking. Actively scanning all network traffic for last week's list of known viruses seems wasteful and a violation of KISS.

Re:there are many examples ...

[Spoing]

So many well known enterprice Antivurs/Firewall companys create drivers that lead to security flaws and it is not limited to Windows....

Thanks for the information. Do you have any examples of non-Windows operating systems that have this category of problem in firewall software? (Antivirus not being an issue except for pre-OSX Macs.)

Video games are the worst offenders

[Myria]

Video games' copy protection systems install device drivers like crazy to try to prevent CD-ROM emulators and such. Others install drivers to prevent cheating. When they do this, they often mess up the system involved and leave the system vulnerable to attack.

For example, a few months ago, the nProtect anti-cheat system, which installs device drivers, had a buffer overflow in it that allowed local privilege escalation.

Melissa

Re:Video games are the worst offenders

So Netscape was trying to prevent cheating when they broke IE?

Re:Video games are the worst offenders

Of course, because Netscape Engineers Are Weenies

Multimedia Keyboards

[Lucractius]

seems these are almost everywhere these days. and with all the odd keys a lot of them Do need their own custom drivers for the extra keys and knobs and dials etc.

whatever happend to the good old days when an IBM model M was all you needed :)

Re:Multimedia Keyboards

[AndroidCat]

Old days?

Re:Multimedia Keyboards

[imsabbel]

Isnt that all in the basic HID usb drivers?
I for my part never installed ANY drivers for keyboard or mouse, but the "page forward/back" buttons of the mouse worked at once.
The same with my new usb keyboard... plugged in... "new HID-usb device found", after that the volume control buttons/program shortcut buttons worked at once.

Re:Multimedia Keyboards

[rokzy]

the worst is logitech mouse (MX900). it wants you to install shockingly ugly control software which not only wastes resources but reduces functionality.

the box says it supports IE only (a mouse suporting a browser!? wtf!?) which refers to the forward and back butons. but if you don't install the crappy software, the buttons work fine in firefox.

I suspect the main purpose of the software is just to try to force a taskbar icon on users to act as a form of self-advertising. it certainly isn't to make the mouse better.

Re:Multimedia Keyboards

[Sigma+7]

Isnt that all in the basic HID usb drivers?

No - there was a class of multimedia keyboards released in the Windows 95 era, which generally required a customized driver.

One example:
- The keyboard that was with a NEC computer purchased in ~1997 had kays that allowed launching special tasks. At the time, a special driver was required as well.
- Some functions of the driver adjusted sound volume, and provided visual feedback on the screen. This OSD was not compatable with DirectX/OpenGL applications and tended to mess up the display.
- There was also a problem with the keyboard where it would sometimes stop registering keys. Uninstalling the specialized driver fixed the problem, and it returned when the driver was re-installed. (I know this is a software problem, as I written assembly to reset the keyboard state. I know how to duplicate this problem in software - it's not a hardware issue at all.)
- Aside from volume control, none of the "multimedia" functions were really used.

BTW, at the time, the "multimedia" buzzword was applied to any animated video with sound, even if it was a small 64x40 clip as was done in some "educational" software that couldn't tell the difference between a correct answer on the first try, and a correct answer after trying every other possible combination.

Re:Multimedia Keyboards

[shiber]

Windows 2000 added support for new keyboard keys (VK_VOLUP, VK_VOLDOWN, VK_BACK etc'), so win2k, XP and win2k3 don't need any extra drivers for most multimedia keyboards/mice (including all Microsoft peripherals that I've come across). However you'll still need to autostart some background process if you want an OSD. I can think of a number of design patterns that would avoid this problem and perform better. I kinda like the OSD for the volume on my multimedia keyboard (it resembles a television volume OSD and looks quite nice), although it takes more than a second to appear if the disk is very busy (and also delays applying the volume change, which stinks).

Re:Multimedia Keyboards

[WarPresident]

whatever happend to the good old days when an IBM model M was all you needed :)

Whaddaya mean "good old days"? That's what's on my desk, now. I've got two more in storage in their original packaging for when this one gives out (14 years and counting). Hopefully, the PS/2 style connector won't be abandoned on motherboards in the next 30 years...

Re:Multimedia Keyboards

[EnormousTooth]

Same here, though I've only had this one for maybe 3 or 4 years. Electronic swap meets are a perfect place to find them.

Re:Multimedia Keyboards

I'm with you bro

Re:Multimedia Keyboards

[Lucractius]

Well unfortunatly for me im in australia... and belive me.. model M keyboards not only cost an arm and a leg to get imported they also never turn up localy cause theyre that rare anyone smart wont let them go.

Oh the things id do/give for an IBM model M13 in that lovely lovely IBM Stealth Black Seriously... if anyone would contemplate an act of supreme generosity? Perhaps you have one but dont like the Black one so use one of the white ones... damn i sound pathetic lol... oh well *holds up placard "will drop pants for IBM model M13 in IBM Stealth Black " *

and yes these days with the extra key functinality built into the os most keyboard drivers are control software things of varying quality.

No surpise!

I am not surpised you get this closed source drivers.

Long live open source drivers!

Re:No surpise!

But it's fixed quickly and eyes can search for them.

Closed driver make it nearly illegal to disclose the flaw.

Re:No surpise!

[ocelotbob]

RTFA. There are lots of open source drivers with this flaw too. Drivers are an oft-overlooked area regarding security problems, in both open and closed source drivers. While closed source is a bit worse for this, open source isn't exactly smelling like a rose either.

duh.

[Crimson+Dragon]

To cite poor design as a source of security vulnerability is to state the obvious. We spend so many man hours fixing problems that didn't have to exist in the first place, that we cannot address the problems that came inevitably over the course of implementation of software packages and protocols.

Re:duh.

[TubeSteak]

You'd think that by now, programmers would have automated tools to check for buffer overflows...

I'm not a programmer, but from what I've read on /. lazy programming is the main explanation for missing/improper bounds checking.

Is it really that hard? Does it take that much more effort?

Re:duh.

[Crimson+Dragon]

Not too much, but when bosses are breathing down your neck to get it done, the simple things sometimes slip.

The market culture is just as bad for this kind of code as the mistakes of the coders, as it often forces poorer designs or the poor code due to profit motive.

Re:duh.

Ah, but good design only works in theory (not in practice) because Linus said so!

Woah

[pHatidic]

Did anyone else read the headline as "Cowboy Neal Drivers Flawed, Pose Risk?"

not that easy

[roman_mir]

let's say there is a driver and it allows a buffer overrun to execute some attacker's code. Well to get to the driver the attacker has to first go through a user application. So there is a problem when the combination user application/device driver both have a problem validating the same input. I am not saying this is impossible, but it would be more unlikely - there must be a great coincidence at work here. Besides normally user applications do not pass user input directly to the device drivers. The user applications translate input from user form to some implementation specific device driver input. So more likely than not there is a layer of input transformation between the user and device driver.

Now to go around this problem the attacker may need to get the user to execute some code on the machine and this could mean that if the code is executed - even on a Linux box for example, and the code exploits a device driver flaw, due to the monolythic kernel structure of Linux it is in principle possible to execute code that will say change user privileges to admin level. I guess this would be much more difficult with a microkernel approach like what Hurd is supposed to be, because even device drivers will run in managed memory mode.

Re:not that easy

[globalar]

I agree, exploitation is tricky and I don't really expect major problems here. However, security concerns often parallel issues with stability/reliability.

Seeing as how drivers are often closed source - even some on Linux - we rely upon IP holders and their developers for both design and maintainance. Rarely do you get good service in both areas. Especially when drivers are "free" (i.e. you pay for the product and get a driver with it), maintainance is not popular among businesses unless it is a major piece of the profit model.

Further, drivers are often essential for functionality. Endusers do not get to be too picky about which driver they use - you either take it as is or don't use the product. There isn't a lot of competition for drivers, so quality suffers.

Re:not that easy

[Gary+W.+Longsine]

Good point. However, it doesn't need to be easy, it just needs to be easy enough for one sharp cracker to figure it out.

Today there are literally thousands of variants different worms exploiting dozens of different buffer overflows. Most of them are derivative, relying on published source code produced by one person, and sometimes on a toolkit. If there are dozens or hundreds of buffer overflows in commonly used device drivers, they will get discovered and some of them will be exploited. Some of them might be exploited already by crackers with goals other than using worms to create fleets of botnets.

Re:not that easy

[TwistedSpring]

Not necessarily. In the case of network drivers, drivers installed by firewall software, and so on, the attacks can easily be performed remotely by sending stuff over the network. However, I think that any case where a network driver will contain a flaw exploitable by stuff sent over the network will be quite rare.

Drivers on Windows NT are reasonably well protected. If a driver attempts to do something it's not supposed to (like access an address outside of its assigned address space) this will be trapped by the kernel and you'll get a STOP error (BSOD). That's what the STOP errors are for, any event where a device driver has performed an action that could compromise the data in the system if the system were allowed to go on running. It's also why STOP errors drop you out to standard VGA text - to avoid using the graphics drivers anymore.

Probably the greatest security flaw you could acheive in a driver is a denial of service, although they run at the kernel level, they still don't have system-wide access. There may be some way to gain that, but I doubt it. They certainly don't have access to user mode, and to access disks and e-mail clients and so on they'd have to go up to user mode level. Due to the lockdown on their address space drivers cannot communicate with oneanother, and in order to access the disk or network they'd need to do so through another driver which they can't "see".

So the most you'd get is a BSOD, which is annoying, but you can always head into safe mode and disable the driver to fix that. If the exploit was in a disk driver or something, you could be very, very fucked though.

Re:not that easy

[0racle]

I think that any case where a network driver will contain a flaw exploitable by stuff sent over the network will be quite rare.

Are you sure?

Re:not that easy

[BuishMeister]

well, in case of the network drivers and remote attackers the situation is exactly opposite. The driver is the first thing that sees incoming packet from the network, so if it contains any buffer overflow vulnerability the attacker will get a chance to embed his code directely into the OS kernel without tripping any of the OS protection mechanisms.

This is true for both linux and windows, because on these systems all the drivers run with exactly the same privilige level as the kernel itself

Re:not that easy

[jdh41]

So instead of actually executing code remotly they just get an easy to achieve DoS? While one is marginally better than the othre, having no problem at all is preferable.

Re:not that easy

[TwistedSpring]

Those are not drivers. Those are flaws in device firmware, which is a different matter entirely.

Re:not that easy

[0racle]

Interesting way of looking at it since ISS BlackIce Personal Firewall and BlackIce Server Protection, both mentioned as vulnerable in each of the links I provided, are host based firewalls and as such have no firmware but drivers that hook into the underlying OS.

Re:not that easy

[TwistedSpring]

Oops. I got the impression from the reports that they were independent devices. Sorry. Clearly a hardware solution would've been better than buying one of those products :)

Re:not that easy

Probably the greatest security flaw you could acheive in a driver is a denial of service, although they run at the kernel level, they still don't have system-wide access. There may be some way to gain that, but I doubt it.

Kernel level (Ring 0) = system-wide access. If you're in Ring0, you can do pretty much everything. E.g. call the kernel directly bypassing antiviruses/firewalls, hook the kernel functions to fool them, patch/terminate running processes etc.

Re:not that easy

[Foolhardy]

All drivers run in the same kernel mode virtual address space (usually the top 2GB) plus the current process's virtual address space. Drivers are free to call the native Zw* functions, the ones that don't do security checks or validation. Drivers can access the same Object Manager namespace as everyone else so there aren't any 'hidden' drivers.

There's nothing stopping a driver running malicious code from connecting to the \Device\Tcp device to open a socket, using ZwCreateFile to copy a malware app into the Windows directory and using ZwCreateKey to install it as a new service.

There's also nothing stopping a driver from posting a kernel APC onto a thread from a user-mode victim process so that the driver can load malicious code into the process. After that, it's as simple as changing the thread's thread environment block to return into the new code's address. The next time the thread is scheduled, the malicious code will be running. All with zero access checks.

STOP errors do in fact occur when a driver tries to access certain read-only memory sections. These are sections that were setup at boot time and should never be changed. You're right about the purpose of STOP errors (die if there's any chance of corruption) and why the video drivers are avoided.

Network Security & Chinese Military

The flaws in the network driver are a key means by which Taiwanese hackers working for Beijing break into your computer. There have been numerous incidents in which people's personal information (i.e. social security numbers) were literally copied by the errant device driver and e-mailed to Beijing.

The Chinese are not merely specialists in torturing Tibetans but are also specialists in identity theft

Re:Network Security & Chinese Military

Don't you have a job? How many times have you posted that crap now? Don't you realise by flooding slashdot with your crap that you completely undermine the integity of that site you link to?

Re:Network Security & Chinese Military

Maybe his job is to completely undermine the integrity of that site?

MOD PARENT UP INFORMATIVE

[Winckle]

very useful information in all links provided

definitely

This is true, if you can get full admin access from within a networked printer you can definitely take advantage of poorly written device drivers as well. Remember software is just language, written by humans. Software will never be perfect.

Re:definitely

#include
#include
#include

int main {
cout "HELLO WORLD\n";
getch();
return 0;
}

ATI

[sabernet]

Well, ATI's drivers have always been nasty. Now I can call them "viral"? :)

Re:ATI

[Jeff+DeMaagd]

I've seen many complaints about ATI drivers.

The odd thing is, I have owned more ATI cards than any other brand ('cept maybe Matrox in my older systems), and I've never really had a notable stability or performance problem with ATI drivers, except with the installer for a Fire GL X1. For some reason, you have to have the card in the computer to get to the point where the ATI installer will let you get to the point where you can uninstall the drivers.

Re:ATI

1994 called...

Re:ATI

[sabernet]

My AIW 9600 Pro card catalyst drivers installed easy enough, although there was a slight glitch in install. However, my Remote wonder constantly failes to be recognized, the multimedia center files and drivers need to be installed seperately in a certain order hopefully only once. Even there, I often still get glitches with the dual screen mode and "Theatre" overlay mode.

As well, the new .NET cat. drivers take far too long to load the control center.

On top of that, I remember a while back there was a card(maybe someone remembers this and can remind me which one), where a BSOD was part of the normal installation procedure.

Why is this a bigger risk on windows?

[Weaselmancer]

I've noticed that software you wouldn't expect sometimes installs a device driver component. I can understand this as a component of an antivirus or host based firewall, but it seems to be an oddly common design pattern on Windows, which clearly poses substantial risk.

So why is this a bigger risk for Windows? After all, what is a software driver to windows? Essentially another DLL that starts at boot, right? Well...plenty of apps install those.

My point is, why does having it be a driver make it more sinister? The system has scads of ways to autostart a DLL with full privileges.

Re:Why is this a bigger risk on windows?

My point is, why does having it be a driver make it more sinister? The system has scads of ways to autostart a DLL with full privileges.

My experience of Windows is somewhat limited, but surely software can only obtain full privileges if users log in as Administrator? That's the difference I'm seeing.

Re:Why is this a bigger risk on windows?

My experience is limited as well, but I would assume there's some facility not unlike SETUID.

That aside, though, there's a lot of poorly-written software out there, even from the big boys, that can't properly handle restricted user accounts and requires you to log in as an administrator. It's quite daft, but that's the world of Windows (and, in some cases, Windows developers porting to Mac OS and Linux).

Re:Why is this a bigger risk on windows?

There is a setuid facility (impersonation), but unlike Unix, you need to know the password of the target account.

Apparently some Mac apps abuse the setuid facility but installing as setuid root (usually in order to implement copy protection). Still better than running the whole desktop as admnistrator, though.

Re:Why is this a bigger risk on windows?

[Gary+W.+Longsine]

An individual instance of a given buffer overflow exploit in a device driver in and of itself is not really a bigger risk on Windows. It just seems to be a more common design pattern on Windows systems, thus creating more opportunities for exploit. (Several fine examples of questionable use of device drivers, and some associated known vulnerabilities are discussed by others here).

The referenced article at Security Focus points out that inspection of device drivers in Linux revealed similar defects in device drivers.

Device drivers are more interesting than user land software because they run in kernel space, allowing the exploit to be immediately useful to perform nasty things like install rootkits and trojans, log keystrokes, etc.

Re:Why is this a bigger risk on windows?

[TwistedSpring]

Device drivers cannot obtain full "privileges" because privileges are a user mode concept. Device drivers are tied down by the kernel, they can only do what the kernel allows them to do. If they try to do something else, you get a BSOD. I'm not sure if this works the same with drivers compiled in to the Linux kernel, but I guess there's similar security there too, and nobody compiles drivers into the kernel anymore.

Any exploit on a driver would not be able to do anything too drastic other than throw up a BSOD, unless it's a driver for a hard disk, in which case you could be in trouble.

Re:Why is this a bigger risk on windows?

[Ezdaloth]

A device driver has unlimited access to software and hardware of the system. Applications with administrator rights still can't access hardware directly. (Though they can install a device driver to do that for them ;) So a device driver virus could for example take over your network card, and do nasty stuff without your personal firewall noticing it.

Re:Why is this a bigger risk on windows?

[rtb61]

Most anit-virus programs and firewalls install parts of themselves as device drivers, perhaps that gives you a hint as to why it is a greater risk.

How to make money from this

1. Identify a target corporation (for example, one that makes most of its money from leasing).
2. Write a virus that inserts itself into Excel and subtly changes the results of certain spreadsheets used to calculate the cost/value of leases - by about 1%, no more.
3. Buy a small manufacturer of CDROM drives.
4. Insert the virus into their device drivers.
5. Sell the resultant equipment really cheaply to your target.
6. Wait four years until the target co. thinks it's solvent (according to your buggered spreadsheets) but actually isn't.
7a. Sell this information to a rival that wants to take it over / take it out of the market.
7b. OR Blackmail the target, threatening to reveal its status to the market / the authorities.
7c. OR Short-sell the target's stock and then make the news public.

The money you make from step 7 will be a substantial return on the investment ($10m or so?) that you made in step 3.

Re:How to make money from this

[YrWrstNtmr]

Oh please. That chain of events is so silly as to be worse than the current SCO antics.

Certain spreadsheets...
Which ones? Identified how? You have specific information of exactly how they compute cost/earnings?

Buy a small manufacturer of CDROMS
Uh, yeah. OK.

Sell the resultant equipment...
How many corps buy individual CDROM drives? How do you convince them to buy yours?
Keep other companies from buying your borked CDROM drives?

Wait four years...
By which time they will most likely have changed Excel versions

until the target co. thinks it's solvent
What? No discrepancy noticed by the accounting office? An outside financial evaluation? No accountant working at home on an unborked drive? Right.

Invest $10M to be able to blackmail another company? Sure...that'll work well.

You forgot Step 4.5: Pay off everyone involved so someone doesn't spill the beans.

+1 Interesting? Only if you think SCO or Enron's actions are viable corporate strategies.

Re:How to make money from this

[wolrahnaes]

"4. Insert the virus into their device drivers."

They must be running very outdated OSes...

Between 5 CD-ROMs, 3 CD-RWs, 1 DVD/CD-RW, and 1 DVD+-RW I have never needed a driver on any OS other than DOS. Even for DOS, it still just used a generic driver which shipped with the OS, not a manufacturer-provided piece of software.

Re:How to make money from this

[WoTG]

Agreed. However, what about writing an anti-spam, anti-virus, or anti-spyware app and giving it away to businesses on some sort of introductory "promotional" offer?

Even better, with these programs there is a valid reason to connect to the internet (i.e. to get definitions and app. updates). It would probably cost less than 10M too (mind you, creating a CDROM brand from scratch doesn't cost nearly 10M, outside of a handful of top-end firms, it's all private label + customizations now).

Have you ever asked yourself...

[ratta]

why so many video card producers do not want to release specs?
Because with DirectX/DRI programs in userspace can access directly the hardware, and since the hardware is flawed they could easily gain root/Administrator privileges :-)

Re:Have you ever asked yourself...

[MassacrE]

That is just one reason, the other being that they usually will have licensed technology that is covered under trade secrets, or consider their own tech a trade secret.

But yes, The memory management unit only protects memory from the CPU. A hardware device which uses main memory can be exploited to get past all operating system memory management. For example, unprotected blitting access could allow you to blit kernel space into an off-screen buffer, patch, and blit back your exploit.

Re:Have you ever asked yourself...

[Quantam]

Not possible. At least in Windows. User mode code cannot access the hardware without the kernel enabling some processor flags. You'd have to find an exploit to get your process (very) priviledged before you could directly access the hardware, not the other way around.

Commas, everywhere

Sometimes too many..

Re:Commas, everywhere

They're not commas, they're semi-shatners.

ugh

[Mr.+Underbridge]

As Linus once said, "Given enough eyeballs, all bugs are shallow." If board makers would GPL there drivers or even send one free of charge to a kernel developer, we would not have this problem.

1. Linus didn't say that, Raymond did. 2. By your own analysis, all famous open-source projects should be bug-free, right? Like Firefox, right?

Stop drinking the kool-aid. Open source is not a panacea for all software development problems, and Raymond made a lot of sweeping generalities in the book you're quoting, many which make for great sound bites but are absolutely irrelevant.

Re:ugh

[Nimrangul]

While it is true that open sourcing something doesn't necessarily help with security issues simply by being open, it does give a better chance of finding those issues in a timely manner.

Now, I'm not saying that hackers will go and start fixing open source drivers just cause they're there, some will, but it is not something to count on. I am saying that crackers will go into that code and find the problems and start using them.

Once the bad guys see how something works exactly they can set up exploits much more rapidly - causing the code's maintainers and architects to fix these flaws both minor and major.

Do you not think that if drivers were open sourced we'd see a much more rapid developement of exploits and subsequent fixes?

This increased rate of reaction would in the end lead to a more mature and secure driver set; although for a time it would likely be hell for system administrators and home users.

Re:ugh

[Abcd1234]

1. Linus didn't say that, Raymond did. 2. By your own analysis, all famous open-source projects should be bug-free, right? Like Firefox, right?

Wrong. The phrase "all bug are shallow" simply means that, with enough eyes, *someone* will be able to find the solution to any given bug fairly quickly. i.e., to them, the bug will be "shallow". And this seems to be quite true, given the rate at which bugs in Firefox and other open source products are fixed (quite often within 24 hours). ESR's assertion makes *no* claims regarding the bug *density* of a given open source product.

Re:ugh

[forkazoo]

1. Linus didn't say that, Raymond did. 2. By your own analysis, all famous open-source projects should be bug-free, right? Like Firefox, right?

Stop drinking the kool-aid. Open source is not a panacea for all software development problems, and Raymond made a lot of sweeping generalities in the book you're quoting, many which make for great sound bites but are absolutely irrelevant.

Certainly, no reasonable person will suggest that if you make some horrible software, putting the source on an ftp server will magically cause it to work perfectly, or all the bugs to be instantly found. Open source software does, however have some merits.

Suppose a team is trying to track down a bug in some software they wrote, but they can't find it. Everything looks right. Well, then that's pretty much it. They just keep looking. With open source, you have a chance that some random stranger will approach a problem with a fresh set of eye balls, and ask, "What the hell were you smoking!!??!!" I know I have been immensely helped by having a friend looking at my code, and he has been immensely helped by having me look at his. Whenever some 3rd party can look things over, he isn't emotionally attached to early design decisions, and he hasn't already convinced himself that something is correct. The only was to do that with proprietary software is to bring in a consultant. That's usually expensive, and it would be embarassing to the devs if he found major problems.

Another advantage to OSS is that knowing your code will be seen by others forces you to be a bit less likely to name your variables bob and fish, and freddybob. Obviously, no proprietary developer should do anything like that, but we have all gotten caught up in trying to make a prototype, knowing about the weaknesses of the prototype, realising the schedule is short, and declaring the prototype "good enough." You try to convince your boss you need more time to do a proper rewrite, with an extensible architecture that will better accommodate growth. He says tough banannas. Then, you wind up trying to bolt on the features for version 2 and 3, onto what was supposed to be just a prototype. Madness ensues. Whereas, doing a public release from day 1 means you would be embarrassed if people saw your prototype, so you are a little more likely to try to do it right.

So, yeah, I agree with you that zealots have to much faith in OSS, and probably unjustified criticism of proprietary software, but on even footing, with competant developers on both sides, the ability of OSS to leverage more "outside proofreaders" does suggest that it has the potential to be a bit higher quality on the average. Not perfect. Not always better. But, still, not a bad idea.

Re:ugh

[Mr.+Underbridge]

Wrong. The phrase "all bug are shallow" simply means that, with enough eyes, *someone* will be able to find the solution to any given bug fairly quickly. i.e., to them, the bug will be "shallow". And this seems to be quite true, given the rate at which bugs in Firefox and other open source products are fixed (quite often within 24 hours).

You're using evidence of how fast bugs get fixed to show how easy they are to find. Not buying it.

I'm not saying each of his assertions is specifically wrong, but that they're basically unfounded and are more "pretty" analogies than founded analysis.

Re:ugh

[Abcd1234]

You're using evidence of how fast bugs get fixed to show how easy they are to find. Not buying it.

No, I'm not. Let's review what I posted:

Wrong. The phrase "all bug are shallow" simply means that, with enough eyes, *someone* will be able to find the solution to any given bug fairly quickly. i.e., to them, the bug will be "shallow". And this seems to be quite true, given the rate at which bugs in Firefox and other open source products are fixed (quite often within 24 hours). ESR's assertion makes *no* claims regarding the bug *density* of a given open source product.

Now, tell me, where in that text did I make *any* mention of the rate at which bugs are *found*? Oh, wait, I *didn't*.

Re:ugh

[Mr.+Underbridge]

Now, tell me, where in that text did I make *any* mention of the rate at which bugs are *found*? Oh, wait, I *didn't*.

Then you're misinterpreting what Raymond said in the first place, which really stretches your credibility. See, the finding is what the "eyes" are for.

Re:Is this another reason to buy a Mac?

Fool.
Drivers that come with the OS are still drivers.

Re:Is this another reason to buy a Mac?

[afd8856]

Who told the god damn noobies about slashdot?

"Built For Windows"

[CdBee]

I've always tried to buy hardware which is supported by default in Windows - since XP-SP2 added a bunch of new drivers this has got a lot easier.

My reasons were so that a reinstall is a simpler affair, but it appears I may have been reaping security benefits too...

Re:"Built For Windows"

A compliment for windows?! Prepare to get modded down to -1 by Linux zealots.

Re:Is this another reason to buy a Mac?

Sure, but I think he still has a point.

Drivers that come with the OS may still be drivers, but they can be patched through the OS vendor's normal software update process.

Third-party drivers? Who knows?

Re:Is this another reason to buy a Mac?

[fyrewulff]

Windows Update will scan all of your third-party drivers for updates.

SlashDot a SPAM-Whore for SecurityFocus

Who cares what SecurityFocus has this month? Why do /. editors accept SPAM posts from commercial firms, whose intent is to increase their hit rates by posting to SlashDot? Or is SlashDot paid by those publications for posts?

SlashDot is a SPAM-whore for the IT press industry.

Something Similar

[MobyDisk]

Something Similar is security utilities that run as root/administrator, and provide a GUI. For example, suppose your Virus Scanner or Firewall runs with higher priveledges so that it can scan all files, change it's priority, monitor network activity, etc. Now suppose it also provides a GUI with a "Disable Scanning" button. It's trivial to open the GUI and simulate UI commands.

This is most prevalent on Windows where it is common to leave an icon on the toolbar for interacting. On Linux, you usually must execute the tool separately and enter an admin password to run it.

A while back I wrote a program that would re-enable disabled GUI elements. It allowed me to get access to all sorts of stuff I wasn't supposed to. Relying on the GUI to provide security is a bad idea.

Re:Something Similar

[fmileto]

Could you post a link to the source for that project? I'd like to look into how it works. Thanks in advance

Re:Something Similar

[nick8325]

There's a much nastier version of this: there is a message WM_TIMER which is meant for callbacks at regular intervals. One of its parameters is the address of a function to be called.

You can send this message to a window on your desktop and it will jump to any address you like! Straight away you could crash the process containing the window, or you could put some code to spawn a shell into an edit box in that program, then jump to that code. Hey presto! Instant shell running as Local System.

The attack is documented at http://security.tombom.co.uk/shatter.html, and can be used to inject code into any window on your desktop.

There doesn't seem to be any easy way to fix this, since security in Win32 messages is only meant to be at the desktop level and not the application level, and anything else would break lots and lots of applications.

Microsoft recommend stopping these attacks by never having a GUI in a service, instead having a separate GUI program that communicates with the service. But even they have made mistakes with this before - the pop-up Messenger windows (not MSN, the built-in Windows service) used to run in CSRSS, the Win32 server process. So you could get Local System access by sending yourself a message (which would cause the dialog to pop up) and then injecting code into CSRSS using that window.

According to http://security.tombom.co.uk/moreshatter.html, you don't even need a process with a window on the desktop - just find a system thread with a message queue and call PostThreadMessage on it.

Re:Something Similar

"It's trivial to open the GUI and simulate UI commands."

Via sendkeys type functions, or even OpenProcess via the Win32 API, right? Heck, you could even drop messages into its message queues via the numerous SendMessage type API's also, right??

"A while back I wrote a program that would re-enable disabled GUI elements. It allowed me to get access to all sorts of stuff I wasn't supposed to. Relying on the GUI to provide security is a bad idea."

You MUST have used dropping messages into its queues... this last one clued me in, am I right?

Re:Closed Source

there drivers

Where drivers?

Re:Is this another reason to buy a Mac?

[rokzy]

oh god no!

I tried that once. it suggested an update for my network card and pretty much fucked my system.

never again. never.

Typo in the headline

[ElMiguel]

Device Drivers Filled with Flaws, Pose Risk

Another Slashdot typo: they obviously misspelt "SUV" as "Device".

Re:Typo in the headline

It is so cool to bash SUVs - it is the mark of anti-genius.

Re:Is this another reason to buy a Mac?

Looks to me like it was Apple

Defective drivers, yes

[Urusai]

In theory, the +++ should be spaced in time similar to someone pressing keys. A ping would obviously be too fast. My guess is that cheesy WinModem drivers written by underpaid programmer elves might have taken a shortcut, since timing the +++ might require something beyond their QuickBasic skills.

Re:Defective drivers, yes

[multipartmixed]

> In theory, the +++ should be spaced in time similar to someone pressing keys.

No. It should be surrounded by one second of nothing. The inter-plus timing is irrelevant.

Re:Is this another reason to buy a Mac?

[Buradorii]

Perhaps the availablity of Slashdot headlines on Google's new Proto-portal.

Open Documentation == Safe & Reliable Drivers

[shking]

One more reason to help groups trying to get documentation in order write their own drivers. Manufacturers seem more concerned with slowing down their rivals than with growing their customer base (for free!). Consider OpenBSD's recent problems with Adaptec.

The funny thing is it's not inefficient

If done properly, a microkernel architecture is just as efficient as monolithic kernel.

The bad rep that microkernel systems have comes from lousy-performing implementations... stuff like Mach. Systems with heavyweight threads and IPC 10x slower than it should be.

Check out the L4 microkernel (or the oss rewrite of it) for an example of a microkernel that doesn't suck.

Hello lawsuit...

[SCVirus]

Many games 'quietly' install an unsigned driver without warning you (starforce/securom). If a single sec vuln appears in one of them and you get any damages...

Re:Hello lawsuit...

[IoN_PuLse]

Many games 'quietly' install an unsigned driver without warning you (starforce/securom). If a single sec vuln appears in one of them and you get any damages...

Youve already pressed the I Agree button (in which agreeing that any damages resulting are not their problem...)

Re:Hello lawsuit...

[SCVirus]

The game company yes. There is no contract between you and Starforce. There is no express notification of the installation of drivers. Many games patches that do not require extra agreements, install a new (or new version) copy protection, which quietly installs an unsigned drivers, bypassing the windows 'protection system' and not informing you of any risk. That is not waved in the license agreement (at least not ALL license agreements).

Apple Mac USB support

[morcheeba]

I've done lots of driver development on various machines (linux, solaris, OSX, vxWorks), and my favorite for general hacking has been OSX. Besides the traditional OS-level drivers, it also allows user-level USB drivers. I use the user-level access for my projects and it provides simple no-hassle operation. The code is still limited by the user's permissions, but I don't need access to other system resources. The windows equivalents need to rely on libusb, a generic os-level driver that passes user-level commands through to the USB device. Because of window's USB driver model, though, libusb can only work for one device type and must have the VID/PID's set before installation. OSX is much simpler when you need to write a hack that modifies a device's PID - it doesn't need another driver installation to continue talking with the device.

Actually, vxworks was the easiest to write drivers for, but since it is an embedded OS with no distinction between user code and OS (they share the same namespace!), it doesn't really count.

Re:Is this another reason to buy a Mac?

[TERdON]

Yep. To me it usually suggests a driver that kills my soundcard, and a buggy Nvidia driver (somehow the only driver that works together with my TV card is a really old one. The +.01 version is fucked up, and the previous ones too...)

Panic attack!

[AndroidCat]

Ping someone who has one of those idiot "scan all traffic for viruses" packages, and include a short virus signature. That might cause some fun and excitment.

(Don't try this at home, script-kiddies. Each ICMP packet has a source IP field, you know.)

Re:Panic attack!

[Handpaper]

Ping someone who has one of those idiot "scan all traffic for viruses" packages, and include a short virus signature. That might cause some fun and excitment.

(Don't try this at home, script-kiddies. Each ICMP packet has a source IP field, you know.)

If you can craft a custom packet, you can spoof the source IP field, too.
I suggest using 207.46.130.108

Re:Panic attack!

[AndroidCat]

I said there was a field, I didn't say it had to contain valid data. Now you've gone and told everyone!

Windows design flaws

[typical]

The real cause of most reboots are attempts to replace active user-mode executables (EXE or DLL). Executable files cannot be replaced while they're running. This makes it practically impossible to update system DLL's without a reboot, since they're going to running in some process all the time.

Yup. This is a major design flaw in the Windows kernel that dates way back. It's a significant part of the reason that you don't have to reboot Linux for anything other than a new kernel, but Windows frequently needs to be rebooted for user-level application installations.

It's on my list of "stupid design decisions made in Windows" (where "Windows" == NT family, not 9x family).

Other goodies are:

* "pageable kernel memory pools" (sounds like a good idea, but significantly increases complexity of writing kernel code and ease of introducing lockup bugs) over Linux's approach of just unloading modules

* Microsoft's decision to not support "real" links, just shortcuts, in their user-mode software.

* Allowing application software to "block" a shutdown.

* Not allowing Windows to run without VM.

* Not designing Windows to be able to run off of read-only media.

* Godawful shell (not fundamental to the OS, and hopefully will fixed in Longhorn) and virtual terminal, to the point where most Windows users hate the terminal.

* Bad VM algorithms. I don't know what they use, but try running low on memory on a Windows box and the system becomes bloody unusable.

(From a developer standpoint)

* Poor sockets implementation (which is still the only reasonably portable networking API under Windows -- even IOCP lacks a IOCP-able connect() up until WinXP) with no way to kick select() awake, no local-domain sockets and lots of other flaws and irritations that have to be worked around by the Windows sockets programmer.

* Never precisely specifying API behavior -- MSDN is more of a tutorial or basic user guide to the API than a true specification. Look at a Linux man page and you generally have pretty strong guarantees on the behavior of the function provided, and that isn't even the specification (those which the function conforms to are listed and you can read a hard specification of guaranteed behavior).

Re:Windows design flaws

[RzUpAnmsCwrds]

"virtual terminal, to the point where most Windows users hate the terminal"

Windows Server 2003 significantly improves the terminal. It's not quite BASH, but it's actually pretty usable.

"Microsoft's decision to not support "real" links, just shortcuts, in their user-mode software."

This is a UI choice. Symlinks can behave poorly if they are abused. If you want them in Windows, there's a command-line tool to do it (in the XP resource kit) or you can get a program like Junction Link Magic. It's part of the kernel, just not part of the UI.

" Never precisely specifying API behavior -- MSDN is more of a tutorial or basic user guide to the API than a true specification."

I've never had any trouble with the MSDN documentation. Linux man pages don't generally specify API at all - they specify configuration file formats and potential arguments. Perhaps that's because Linux doesn't really have "an API", it instead has a number of different APIs (GTK+/Qt, ALSA/OSS, V4L, GStreamer, X, SDL, CUPS, etc.). Manpages can't really be compared with MSDN - you have to compare the individual API guides. When you do that, you'll see that frequently they are out-of-date or simply plain wrong (as is the case with much of the GTK+ documentation).

"Bad VM algorithms. I don't know what they use, but try running low on memory on a Windows box and the system becomes bloody unusable."

As it does on Linux. Apache grinds to a halt on my older 256M webserver as soon as PHP/MySQL decide to suck up the available memory.

What *really* kills Windows systems is disk I/O. The system becomes useless once you start hacking at the disk. It's better on SCSI systems, and Windows isn't alone in this regard, but it somehow seems worse on Windows - perhaps because the shell is always hacking away at the disk, or perhaps because of the registry.

"Allowing application software to "block" a shutdown."

You can always force a shutdown with shutdown.exe. It's good that Word can block a shutdown and ask you to save - it prevents stupid mistakes in a lot of cases.

Re:Windows design flaws

[Decker-Mage]

To add to what RzUpAnmsCwrds posted, one of the first things I do here is use X-Setup/X-Setup Pro to turn off paging of the kernel to the pagefile. I rather use it than do my reghacks by hand these days, and I have a LOT of hacks. Actually it doesn't yield much measurable difference in performance here under normal circumstances, it only makes a difference when I'm screaming along with my virtual machines loaded, and it's a few percentage points at best.

Bad VM algorithms? I don't know your setup, probably have the pagefile on the boot volume or drive, but here it is not a problem and I go to the wall on my 1 GB system all the time. I have two pagefiles here, one on the system volume for whichever version of Windows is loaded at the time, and one on another HD on the other IDE channel (most people don't think of this). Both are set to 1.5 x system memory, but that's altogether excessive as I've never gone over 2 x system memory here. Windows, like *nix, is bright enough that if it has more than one pagefile it will make use of whichever is free at the time for use. As that other HD is for pagefile, temp file, and archival storage only, it's free a lot. Try it, it may surprise you. If it doesn't, you need a different motherboard or HD controller! Then again, I picked my motherboard with doing just this in mind from the get go. BTW, Linux (or at least SuSE and FC3) likes it too.

If you want directory symlinks, go on over to SysInternals.com and grab Junction (Windows NT-2K-XP-2K3/Utilties/Miscalleneous). Part of the kernel, but not normally accessible. Beats the heck out of buying the resource kit. Normal hardlinks, see FSUtil in the Support Tools (optional install from the Install CD). As the *nixen like to say, Read The Fine Manual(s) :-). I can agree with you up to a point, but I shudder to think what your typical (ab)user would do with these, as I support them day in, day out {sigh}.

Not allowing Windows to run off of CD? Why would they want to have LiveCD's? This is Microsoft, you know: all you computers belong to us! Besides, from their viewpoint, that would only encourage piracy. I can sympathize somewhat with that view myself. Sheesh, those would be the hottest, most duplicated property on the planet! I want whatever drugs you are taking :P. Still, in the field it 'twould be nice, instead of carting around a baby HD and having to do a parallel install in some cases to fix things.

Blocking? I'd rather have blocking and demand my attention than watch work go down the toilet 'cause I forgot to save something and left the app open. I've never seen a system service block shutdown here and I run a lot of services, and many most people don't, here.

Lastly, I rather like the shell in Windows Server 2003. True, it ain't csh (my fave for the last 20+ years), but it's gotten much better than it was before, and beats the dogsnot out of DOS. Furthermore, you do know you can change a lot of the settings for the shell, don't you? Mine is not standard in appearence here, no how, no way. I like a lot more lines and larger type, but that's due to my high res setup more than anything else.

I hope this helps someone. Some good points in there, and yes the stupid installers always want to reboot the damn system even when not necessary, but... :-).

Re:Windows design flaws

[guyzmo]

`` I've never had any trouble with the MSDN documentation. Linux man pages don't generally specify API at all - they specify configuration file formats and potential arguments. Perhaps that's because Linux doesn't really have "an API", it instead has a number of different APIs (GTK+/Qt, ALSA/OSS, V4L, GStreamer, X, SDL, CUPS, etc.). Manpages can't really be compared with MSDN - you have to compare the individual API guides. When you do that, you'll see that frequently they are out-of-date or simply plain wrong (as is the case with much of the GTK+ documentation). ''

I'm not aware of how MSDN works, as I didn't use windows for years. But all I can say is that the API *is* described in the manpages under Unix, and linux specifically.

Just check out this page : it's the man page of the select function in the BSD API.

But when you don't have a manpage for a given function, or if you think the manpage is outdated, as you have the full source code of what you want to use you can run Doxygen on the library, and then use its output. And if there's no javadoc-like comments in the source, hey, you can always use that source, luke !

And don't tell me if you use the boost C++ library under windows, you'll have a MSDN page describing the API, it sounds to me quite unprobable... You'll need the boost.org to get the documentation, and, how surprising, they even offer manpages.

reboot != restart of xorg

[typical]

Can you do it without shutting down X, and all running X applications? Is that really so different than than a reboot? Well, it depends how you use the system. If you're familiar with Windows and use Linux mostly like a Windows workstation, running only GUI programs, and running only daemons that are inextricably linked to a GUI, then no. My system is generally running mldonkey, a host of daemons and scripts (fetching mail, sending mail, obtaining weather data, logging uptimes, a couple of servers) and it isn't even a "server" machine. I use GNU screen, so just because I happen to have a shell open in an xterm doesn't mean that I can't log out at any time. Most of the software I use (barring firefox and gkrellm) is terminal-based, so most of that sits in GNU screen. I use irssi (not x-chat), slrn (not pan). Occasionally I'll have the GIMP open, but I'm not an artist, so this is usually not the case. I use the X11 version of xemacs for the additional keys available, but xemacs doesn't need to be hooked up to a single X session (actually, it can display itself on multiple X servers at once), and shutting down X doesn't have to kill it. So, really, the only piece of software that needs lose state during a restart of X is my webbrowser. It's difficult to describe this to most Windows users, because they have a very strong and repeated set of experiences that "real software runs in a GUI". A reboot also means that I have to reauthenticate myself to my encrypted filesystems, which is the other reason that I prefer to avoid it. So I would say that, yes, a reboot of my system is very different from restarting X.

Why do we even need device drivers at all?

[Skapare]

Why do we even need device drivers at all? I've worked on (used, administered) two different kinds of major operating systems (and a couple more smaller ones) that did not use device drivers at all. The answer to thise question reflects a condition that those two major OSes did not have to deal with: lack of standardized hardware.

The original IBM System 360, released in the 1960s, effectively had relatively standardized hardware. That was because IBM made all the hardware. When other manufacturers eventually made their own hardware, they were forced to make that hardware compatible. A manufacturer of a disk drive had to make it accept every hardware command that IBM's own models accepted, or it would not work. No provision existed in the operating systems for these machine to install or load a special device driver, short of modifying the source directly (which was all in assembly code for the mainframe CPU architecture).

I/O operations in the original System 360, and to a great extend in the 370 and 390 that followed, is quite uniform compared to the PC architecture. Although IBM popularized this architecture, it was actually the design of the 8088 CPU that caused things to be quite non-uniform due to it's lack of any I/O architecture (it only had a simplistic in/out CPU instruction set, which effectively functioned like fetch/store instructions in a private address space). This meant every peripheral (like a serial port) had to operate its own way. Microsoft's DOS operating system furthered the dependency on device drivers being added by making it relatively easy to do. So by combining an architecture that was very poor at I/O, absent of an I/O standard, and an OS that made discrete device drivers easy, we have this become dependent on this.

A computer architecture could still be built that includes a standardized I/O infrastructure (e.g. all devices interface the same way) and standardized I/O command set (e.g. all operations of the same class operate identically), and would not need individual device drivers. Each different class of device (e.g. a hard drive is an example of one class) would have its own I/O handling code in the OS which can be referred to as the device driver, but it would be one set of code that handles every device of that class. A command from the "hard drive handler" code in the OS to read a specific sector of storage would be exactly identical regardless of the size of the drive (if it accesses a non-existant sector, it always gets a standard error), the maker of the drive, and whether or not there is a gateway controller to interconnect legacy hardware (e.g. SCSI, IDE, SATA, etc). The same principle would be applied for all other classes of devices. All random accessible devices could then be bootable with merely the issuance of a basic "read a sector from offset N" command generated by a very simple firmware system ... for some standardized value of N for booting purposes.

old news

The older versions of the Logitech mouse software could be used for a DoS attack.
There were no parameter checks so it was possible to use simple function calls to force a Blue Screen of Death.

Is there a way...

I've often wondered, is there a way to stop software from secretly installing drivers in Windows?

Well, I guess not running as Adminstrator probably would work, but surely there's a way to get Windows to ask "Allow Application.exe to install driver.dll ; YES / NO"?