You are now subscribed
Your newsletter sign-up was successful
Want to add more newsletters?
Every Friday
GamesRadar+
Your weekly update on everything you could ever want to know about the games you already love, games we know you're going to love in the near future, and tales from the communities that surround them.
Every Thursday
GTA 6 O'clock
Our special GTA 6 newsletter, with breaking news, insider info, and rumor analysis from the award-winning GTA 6 O'clock experts.
Every Friday
Knowledge
From the creators of Edge: A weekly videogame industry newsletter with analysis from expert writers, guidance from professionals, and insight into what's on the horizon.
Every Thursday
The Setup
Hardware nerds unite, sign up to our free tech newsletter for a weekly digest of the hottest new tech, the latest gadgets on the test bench, and much more.
Every Wednesday
Switch 2 Spotlight
Sign up to our new Switch 2 newsletter, where we bring you the latest talking points on Nintendo's new console each week, bring you up to date on the news, and recommend what games to play.
Every Saturday
The Watchlist
Subscribe for a weekly digest of the movie and TV news that matters, direct to your inbox. From first-look trailers, interviews, reviews and explainers, we've got you covered.
Once a month
SFX
Get sneak previews, exclusive competitions and details of special events each month!
So, this is a bit unsettling—a white hat hacker has discovered a bug in Razer's device installer software that could give a hacker full admin rights in Windows 10, simply by plugging in a compatible peripheral and downloading the accompanying Synapse utility. This could be a Razer mouse or keyboard, or any device that taps in the Synapse software.
A user who goes by "jonhat" on Twitter publicly disclosed the security flaw after contacting Razer and initially not getting a response from the company. The post also contains a video highlighting how incredibly simple it is to exploit the newly discovered attack vector, as a user with only limited standard system privileges.
Need local admin and have physical access?- Plug a Razer mouse (or the dongle)- Windows Update will download and execute RazerInstaller as SYSTEM- Abuse elevated Explorer to open Powershell with Shift+Right clickTried contacting @Razer, but no answers. So here's a freebie pic.twitter.com/xDkl87RCmzAugust 21, 2021
What's at issue here is that when plugging in a Razer device (or dongle, if it's a wireless peripheral), Windows fetches a Razer installer containing driver software and the Synapse utility. As part of the setup routine, it opens up an Explorer window prompting the user to select where the driver should be installed.
This setup routine is run with elevated Admin privileges, the highest available in Windows 10. What jonhat found is that if a user opts to change the default location of the installation folder, which brings up a 'Choose a folder' dialog, a user can right-click the installation window and press the Shift key to open a Powershell terminal with those same Admin privileges. That's not good. From there, an attacker could wreak all kinds of havoc.
The video in the Twitter post demonstrates this process, and the folks at BleepingComputer confirmed it as well, noting "the bug is so easy to exploit as you just need to spend $20 on Amazon" for a Razer peripheral.
In one of the responses, a user said it also "works great" to spoof the vendor ID of an existing, non-Razer peripheral, so an attacker wouldn't even need to purchase anything. And yet another user claimed this attack vector "works also with any Asus ROG mouse. It will prompt to install Armory Crate" and execute it with the same elevated system privileges.
For its part, Razer acknowledged the issue in a statement provided to ComputerBase, saying a fix is on the way.
"We were made aware of a situation in which our software, in a very specific use case, provides a user with broader access to their machine during the installation process," Razer said. "We have investigated the issue, are currently making changes to the installation application to limit this use case, and will release an updated version shortly. The use of our software (including the installation application) does not provide unauthorized third-party access to the machine."
"We are committed to ensuring the digital safety and security of all our systems and services, and should you come across any potential lapses, we encourage you to report them through our bug bounty service, Inspectiv: https://app.inspectiv.com/#/sign-up," Razer added.
Likewise, jonhat said Razer has subsequently been in touch and offered up a bounty despite publicly disclosing the issue.
Best gaming mouse: the top rodents for gaming
Best gaming keyboard: your PC's best friend...
Best gaming headset: don't ignore in-game audio
Should you be worried about this? Not really, for the most part. Razer note this is bug only applies to a "very specific use case," and that's because an attacker would need physical access to a machine in order to exploit the vulnerability—this is not something that can be accomplished remotely.
That said, this is another reason why you should never leave your laptop unattended in places where others might have access to it. The risk of theft, of course, is the other good reason not to do such a thing.
While Razer is working on a fix, it will be interesting to see if Microsoft comes up with any safeguards that would do away with this method of bypassing limited account privileges. This presumably would work in Windows 11 as well, though at this point, it does not seem as though anyone has tested it yet.
