I was asking, "How can a Razer bug let you break into Windows? Is it a Razer device driver?" Yes. I'll just quote jonhat's tweet from the article:
Need local admin and have physical access?
- Plug a Razer mouse (or the dongle)
- Windows Update will download and execute RazerInstaller as SYSTEM
- Abuse elevated Explorer to open Powershell with Shift+Right click
Hah, I like that one. The other classic is Right Click -> New -> Shortcut -> cmd.exe in an explorer "open" window, typically one in an otherwise very locked-down environment.
This has recently got me service access on an old (but new in 2009!) ultrasound machine, for example, for getting raw data and dicom images off in a hurry when the proper authentication details were lost...
The real boss move was navigating a machine with a UI that involved a trackball, keyboard, touch screen(s), touch pad, weird array of custom buttons and a truely stupid menu system.
Configuring US machines is horrible.
But my major US machine rant is them burning metadata into the images (rather than displaying DICOM tags as an overlay). It’s is beyond ridiculous.
Exactly! MR ("my" modality) has it right -- raw data and reconned images are very, very different and although most raw data never ends up in a dicom the mere fact that you genuinely could reconstruct dramatically different bits of info (e.g. magnitude vs phase images) means that the vast expanse of the dicom spec is wide enough to encompass all possible metadata requirements.
US machines do a lot of fun physics on proprietary FPGAs. For inexplicable reasons, every one I've ever worked with or done echo with saves the images as some variation on a theme of screenshots, shoehorned badly into a dicom wrapper, with the metadata burned at 640x480 px (or similar) on top. Even for clever derived modes like doppler -- even for annotations showing things like cardiac E/E' or E/A. They are laptops with a custom pcmcia / pcie card and a 100k-UNIT_OF_CURRENCY price tag, inevitably running a shitty OS with a shittier custom UI...
MRI is my modality of choice too. I’m currently loving most of what Siemens is up to (with some notable exceptions).
The hell of US knows no bounds. Most modalities calibrate a display and then display images (with varying degrees of post processing). US calibrates the screen, sometimes with each boot or even each probe change. Their black levels are abysmal.
> saves the images as some variation on a theme of screenshots
GE has a habit of making DICOMs from screen grabs. I’ve seen it on their PET, CT and MR systems. It causes irritating problems - like reference lines won’t work so you can’t cross reference.
Wow! What a trip down memory lane, I actually remember figuring this one out when I was.. dating myself here[1], about 7 years old, I really wanted to play my Thinking Things Collection 3.[2]
When I inevitably got caught I remember my dad let me have my own user, but put some sort of further time-restriction software on the PC, no idea what it was, but I figured out that if I timed Ctrl-Alt-Delete at just the right time during the start cycle, I could, if I worked fast enough, end the process before it locked me out of login. XD
Oh to be a 90s kid.
[1] to be fair though we didn't update Windows immediately on release and never had '98.
I remember our school administrator used to delete all our silly images we'd made with paint on the school PCs. We asked why but never got a good answer.
I figured out that putting a certain character in front of a file name made it not show up in explorer. So I did that to a folder in my home directory and put all my stuff there, accessing them from the command line instead. Never had them deleted, again.
Apart from the security issue, it's really annoying, too. Say you refuse to install the Razer device driver - after all the mouse will largely work fine without it thanks to HID. Every time you plug the mouse in, Windows re-runs the driver installer.
I just got a Razer Kiyo webcam, excellent stuff, but I had to open regedit to get it to stop asking me if I want to install additional software every time I plugged it in or rebooted.
It works fine without it, but whoever programmed this thing has never heard of a "No, and Don't Ask Me Again" Button.
In regedit, F3 for razerinstaller and add a DWORD key "Start" with value "4" .
(It wouldn't help to scan the filesystem, since the way the vulnerability works is that the driver will be automatically downloaded and run when a peripheral's plugged in.)
Recently my son is using / installing lots of gaming peripherals and software for it and I have to say that I have not seen this much crapware bullshit since Windows XP (with no Service Pack).
If you want to setup the LED lights for your fans - you must install this crap; if you want to customize your mouse somehow - install this other crap. Same companies have not one, but two software suits that manage different peripherals.
Razer is the worst of these. Asus ROG takes second place.
My Glorious Model D and Model O mice works perfectly fine with the normal HID driver. I suppose there's an app for RGB control and changing the DPI settings but the defaults are fine for me. It doesn't attempt to download anything when I plug it in.
Or my personal favorite: The old tool that did exactly what you wanted, didn't need to start with the system, and didn't require login gets 'upgraded' to a more intrusive new version that has 1/10th as many features and doesn't work right anymore.
"What are you crying for, Windows 10 piece of shit settings app that doesn't understand how to let me control individual sound devices the way I want?"
i have a shortcut on the lower-right of my desktop called "real windoze sound settings" (linking, of course, to the actually useful windows sound settings) for exactly this purpose xD
You need EarTrumpet! It replaces the janky windows 10 sound thing with a more modern (and actually useful) one. There's also a registry hack to just enable the old one that opens mixer, if you'd like.
Oh god, that's just the worst. My laptop defaults to maximally bright blue lights for the keyboard whenever it's turned on. Had to keep Windows 10 installed just so I could turn that shit off via proprietary manufacturer crapware that takes one minute to even get an unresponsive interface on the screen. Pissed me off so much I reverse engineered it into a Linux program that does it instantly.
Seriously what are these manufacturers thinking? It's like they go out of their way to make things as bad as possible.
I'd just open up the card and unplug the cable to the lights. It's not a bad idea to open up the card to reapply thermal paste/pads anyway if you're hitting the card hard, a lot of manufacturers don't do a great job with heatsink contact, thermal paste quality, or both. On the lower tier cards in their product stack half the time there won't even be thermal pads on the vrm or memory chips. And recently I saw a post where powercolor forgot to remove the tape from the thermal pads at the factory [0]. And no, in most countries they can't void your warranty for opening it up.
Why? Not even with proprietary nvidia drivers? If it's using a proprietary interface I'd expect those to be reverse engineered for such a major product.
I had to install drivers from the Arch User Repository to turn off the lights on a Razer keyboard. It still stays lit and in color-cycle mode unless it's plugged in directly to a USB port on the laptop.
Yes, and it is extremely aggravating! It's always some incredibly shitty proprietary software with a bloated gamer interface that takes seconds if not minutes to even start up.
My laptop came with this crapware too and it pissed me off so much I reverse engineered it into a simple free software program that turns all the stupid lights off instantly.
Turns out all these shitty apps do is send a bunch of USB configuration packets which were easy enough to figure out with wireshark. The Razer products do the same thing, open source code is already out there. Sometimes they use convoluted interfaces like I2C and ACPI/WMI. Haven't had luck with these.
Given Razer's general shenanigans, such as tracking mouse and keyboard behavior and sending it to their cloud (without which, by the way, much of their new hardware simply won't work), their unintentional breaches of security pale in comparison to their deliberate breaches of privacy.
The actual problem here is that Microsoft allows OEMs to install user space programs via their drivers, which are installed automatically without user intervention using Windows Update. This is unacceptable. Microsoft should only accept kernel mode drivers. If users want user space tools they can find them in the OEM website.
Uhm. If you can't trust them to write a user-mode program without messing up security this badly, you absolutely can't trust them to write a kernel-mode driver without completely screwing everything up. Not to mention one that is automatically downloaded and installed whenever something shows up claiming to be a particular vendor/product ID!
I think the OP's point is that any malicious code residing in the USB driver has access to a much larger attack surface in kernel space than the UI app running in userspace.
If I were attacking the system along this vector, my exploit would sit in the USB driver, not the UI code.
Same. Was wondering when the conversation would get around to this.
You could take advantage of being SYSTEM much earlier along this cycle and still take control of the computer. This is actually a very nasty bug in how arbitrary code can be run at SYSTEM level when inserting a usb device.
I expect the developers who write the kernel mode drivers to be much more competent and senior than those who write the flashy, slow GUIs that come with them. Yes, naive assumption, but still!
I would say that the higher you get up the privilege level tree, the worse the software becomes. The people writing legacy BIOS extensions are the absolute bottom of the barrel.
In modern software development, this is usually a task for the junior engineer as it's code the client never sees. Only in specific industries where the client is also highly technical (e.g. a data-acquisition component in an instrument) where the quality of the low-level code matters, would it be someone senior. In those cases, it usually matters a lot more than the UI.
I wish that were the case—I also wish it were the case that “senior” meant “competent.” Judging by the number of device drivers I’ve had cause serious problems, especially with consumer gaming hardware (as is the case here), I don’t think it’s safe to make any assumptions about the quality of drivers.
For anyone else reading this who’s feeling smug because they would never buy such a device: you don’t need to; only the attacker needs to. Windows will happily download and install the drivers automatically the first time the device is plugged in.
It's also not about seniority or competence. Writing kernel mode drivers is being given the task of juggling running chainsaws with real chains while on a balancing board. "Success" is declared when you're able to do this in a lab without there being an issue, ignoring the fact that in the real world there are dodgeballs being thrown at you. Also, no one I've ever worked with writing them has ever wanted to maintain & improve the quality of the drivers they wrote - they wanted to move on to "interesting" work as quickly as possible. This includes myself. The work isn't interesting, fun & usually not important to the business.
In this case, why does a mouse driver need to live in the kernel in the first place? Microsoft should be improving the HID layer to make that unnecessary.
I still don’t get why companies who design hardware a so poor at writing drivers/supporting software. They design and test hardware, because recalls are expensive, but somehow feel like shipping shitty software is just fine.
Why is it so hard to priorities good drivers? Or is it just impossible to hire good driver developers?
Well there's 1) The businesses that sell hardware are run by people whose expertise is hardware, not software and 2) the type of people who have the right combination of skills and inclination to write drivers are rare but also can earn a lot more doing other type of software (hardware margins aren't all all that high compared to software).
> you absolutely can't trust them to write a kernel-mode driver without completely screwing everything up
Absolutely. The overwhelming majority of hardware companies are not competent enough to write drivers of any kind. They're not even competent enough to write user space software. They treat software as a cost center. To them software's just wasted money, to be made as cheaply as possible and only because they have to.
Linux kernel is great as a litmus test. If a company can't get a driver into the kernel it shouldn't be trusted with writing drivers of any kind.
This is Windows where kernel drivers are proprietary and written by random companies that do not care about anything but shipping things. The same company that messed up completely in usermode.
Would be an interesting step, if Microsoft would only allow open source drivers into Windows Update.
There could be another option: If you want to ship it without exposing the source, you need your drivers vetted by some third party that has access to the code.
I think you're conflating two separate things here.
The major difference between user mode programs and kernel mode programs is security and stability (at least in this context). Things in kernel mode have basically no restrictions on what they can do, from a security sense. Things in kernel mode can also crash the thing they're part of: the kernel. That's a blue screen (or cyan, now). One of the reasons those blue screens are so much less common is that Microsoft really pushes OEMs to make userspace drivers. If they die, they just get restarted, no need to crash the whole OS.
The other issue is of installing user-facing utilities alongside the driver. That needs to stop. It's orthogonal to the kernel vs user mode issue though, because Razer can make their UI run in kernel mode. It's a horrible, terrible idea that no one will enjoy, but they can. And really, we want the drivers to run in user space too if we can.
While what you're saying would be nice, I think if this were to be enforced then it would end up going like the nvidia control panel. You install your drivers and if you want access to the nvidia control panel then you have to install them from the Microsoft Store.
Well, no. It's a Razer bug. Razer wrote the software. They wrote it to run as admin when you plug a new device in. They wrote it to launch a browser (!!!) under user control. Those are all Razer mistakes, Microsoft didn't do that.
Now, it's true that MS has a flawed architecture here. But it's not inherently so as I see it. Third party devices do need automatic driver install of some form. Drivers do need elevated privileges. Microsoft's model was that they'd audit and authenticate the software through the WHQL process. And it turns out that let a really glaring hole through.
But the problem is just really, really hard. If you want third party driver software to run on your system (and not all vendors want that: iOS has nothing of the sort, obviously, and Linux vendors ship all the drivers themselves) then you need to be prepared to do a ton work ensuring it's safe.
>Microsoft's model was that they'd audit and authenticate the software through the WHQL process. And it turns out that let a really glaring hole through.
Not to let Razer off the hook here, because they're responsible as well, but in doing as you've described here, Microsoft are have willingly placed the onus for security on themselves.
>Linux vendors ship all the drivers themselves
Not all of them. Nvidia is a famous exception to this. If you want to install their drivers, I don't know of a Linux distro that will allow you to without root privilege.
To be clear: there are obviously lots of third party Linux drivers out there. But they're delivered, installed and supported by that third party. Security of the NVIDIA driver is NVIDIA's job, and no one is surprised. And as a result, you need to run a tool as the root user and elevate the privilege level yourself to get it installed.
Now, that user experience broadly sucks vs. plugging the same PCIe card into a Windows box and booting it up to get an automatically installed driver. But it's not subject to the same security problems either, which was my point.
There's a difference, though. Microsoft's Windows Update driver installer does not require launching executables, it never has in the past, it simply got the inf and supporting files and put them in the system's driver location. Now they're automatically running executable code that microsoft isn't verifying as an Administrator. Yes a malicious driver could be bad, but since drivers have a more finite api surface they should call, they can be audited / restricted with static analysis checks. launching a userspace app with admin privileges automatically is a bad idea.
Would you be ok with the AMD kernel driver launching a web browser as root on first boot? Or every boot?
WHQL means almost nothing, except that you have an expensive EV code signing certificate to verify your identity to Microsoft. At best it means that your drivers don't completely break the system.
I don't have much experience under Windows so I may be a bit off here, but this article mentioned the driver was installed by Windows Update from a non-administrative account, made no mention of UAC popping up to get administrative credentials, and allowed the installer to present a user interface. The installation wizard allowed for interactions that are intended for people who manually download and execute the driver package, which is fine in that context since the end user has already provided or has to provide administrative credentials at a UAC prompt. It is not fine in this case since a standard Windows component with elevated privileges is allowing the end user to circumvent restrictions on their account.
Clearly Razer played a role here since they were doing something that is (from my experience) unusual by presenting a wizard during a Windows Update installation. On the other hand, this is a fault that Microsoft has to fix.
It's a new 'feature' of Windows update. In the past, driver vendors that were supplying to the Windows Update driver DB only had the option of providing infs and firmware, basically. I think they could provide apps too, but they had to be 'move it into place and it works' sort of apps. The mistake is that now Microsoft allows installers to run, Logitech does the same thing, plug in any logitech device and Logitech Options pops up a custom notification prompting you to 'continue' installation.
I can understand why the vendor would want this features, and perhaps even most users. On the other hand, the one thing I liked about the limited approach was the ease of installing basic drivers. (Linux is my primary OS, so I'm accustomed to basic drivers and find the additional software that accompanies many Windows drivers repulsive. Knowing that the installer for these enhanced drivers can also present a security risk simply makes it worse.)
Completely agree, I've been an on-again-off-again linux user for the last 15-ish years... but these days it's more and more on, the only reason I haven't virtualized my gaming rig yet is the DRM some games I play use using those fucking kernel drivers. So that install hangs out and has steam, chrome, and other various games / game launchers and that's it. I disable as much of the OS as I can and only boot into it for games that don't work on linux (usually ones with the aforementioned DRM). Gaming on linux is getting better every day!
Even more than a bug, it's a flaw in industry _culture_.
It's a flaw in Windows culture, where application publishers and device manufacturers are allowed and perhaps even encouraged to run amok, especially at install time, and run all manner of bespoke procedures with elevated privileges.
And it's a flaw in device manufacturer culture, where first-party device ‘drivers’ are expected to be bundled (sometimes optionally, sometimes by mandate) with entire applications for managing them, usually with flashy wizards and always-on GUIs that live in the system tray. More and more, it seems like manufacturers push that shit so they can track users usage of their devices, as well.
This is as much a result of device manufacturers' marketing teams' ruinous desires for customized, unique user interfaces and branding as it is a result of anything else. This kind of shit is really alien on platforms where universal management interfaces are the norm, package installation is expected to be well-behaved and non-interactive, etc. It's par for the course on Windows (and significantly so, but to a lesser extent, on macOS).
> Third party devices do need automatic driver install of some form.
This is a mouse. It works perfectly fine as a USB HID device. The software install is to unlock optional features on the device, and that can be done after the user has authenticated to the host and gone through a security elevation prompt.
In fact there are precious few third party devices without a usable built-in driver that absolutely need to be available before the user had logged in. I can't think of any.
> The software install is to unlock optional features on the device, and that can be done after the user has authenticated to the host and gone through a security elevation prompt.
That's not true. It may help you to watch the video.
The user was authenticated as a regular logged-in user. It was the driver installation that had elevated rights as SYSTEM, and there was no security elevation prompt.
I'm reading the "can" here as normative, i.e. because the optional stuff CAN be done after auth, it SHOULD be restricted to being done only after auth.
yeah it's shared, MS was rumored to have a very strong and deep (haskell based long ago IIRC) driver testing system .. it's odd something that big escaped the net.
> Third party devices do need automatic driver install of some form.
I don't see why. Particularly not if the user wouldn't have permissions to do it themselves. If the user doesn't have permission to install a driver, there is probably a good reason for it and the system shouldn't be automatically installing drivers on their behalf either.
You or I don't. But in the market, if you can't make your product work with no fuss, your customers will buy someone else's (or flee to another platform entirely).
If you accept the paradigm of third party hardware sales at all, then you need to have some kind of automatic secure install.
> if you can't make your product work with no fuss, your customers will buy someone else's
If Razor can't make their gamer mouse autoinstall drivers, then neither can Logitech. This would be an equal playing field.
> (or flee to another platform entirely).
If somebody can't type in their own password when prompted to install a driver, it probably isn't their computer in the first place. The computer almost certainly belongs to their school or employer, or at least another family member, and I think any of those would rarely be receptive to "Please replace your dell with a macbook because the turbo button on my gamer mouse doesn't work."
Furthermore, the gamer mouse will have basic functionality without the razor driver anyway, and from my experience I doubt most clueless computer users would notice the difference. If they can "click the internet button and the google shows up", then the mouse is working as far as most users of this sort are concerned.
On Windows you don't even need to type in the password to install something. UAC just gives you a yes/no dialog. Most home users have the permissions for that.
Only if your user doesn't have admin permissions you need to type in a password to run something elevated.
I'm not saying we should go back to floppies. A prompt for the administrator password followed by an otherwise automatic driver installation should be fine.
I remember a different form of this from years ago. At the login screen, go to the accessibility/help prompts and open cmd.exe just like was done here to open PS>. This has been a standard kiosk breakout method of various effectiveness for a long time. The user rights were not always SYSTEM, though...
If Microsoft lets anyone owning a Razer mouse/keyboard do whatever it wants to anyone's computer then that's on Microsoft as well.
If only Razer customers are affected then, sure let's put all of the blame on Razer but this affects everyone using Windows 10. There are some very good reasons why you cannot simply install device drivers without admin rights and if Microsoft chooses to wave those rights for trusted suppliers then they can very much be blamed for this kind of oversight.
I agree they should block this sort of stuff, but don't count on it; When I plug in a Microsoft mouse, a Microsoft IntelliMouse install wizard pops up.
In the end, the driver is running executable code which could (I believe) just start an EXE install wizard anyway so this seems unpreventable.
Windows Update should behave differently depending on what it's handling. If it's signed by MS sure go on, if it's a simple signed driver file maybe directly load it too. But for anything else always request admin credentials and meanwhile keep using generic drivers if available.
Oh that's why they did that! I'd forgotten until your comment, but I remember thinking that was odd on an internship. Didn't occur to me that it was to prevent there being usable ports (and nor did I try to plug in any car park devices, like a good intern!).
My work was only confidential (and that only by default) but it was definitely interesting to be an in environment with secret sauce about, and processes for handling it. (Fire procedure not being drop everything and exit the building, for one.)
That's probably more to prevent data exfiltration. If you don't want random drivers being downloaded you can more reliably prevent it using group policy.
A 3rd party driver's capabilities should be scoped to whatever type of component it's for and in this case a mouse driver should only be allowed to do mouse things.
> Windows should not install random drivers from the Internet when a non-admin user is logged in.
In a perfect world, or at least a tech user world, sure. But there was a compromise to make, either this (and that behavior can be disabled), or user stayed on admin account at all time. Which was the norm for windows since forever. Even on vista people disabled UAC.
From that point of view this is still the more secure outcome, at least the admin hatch is only broken through sometimes, instead of always.
Not saying this shouldn't be improved, but if you look not only at the end result but also at the path to get there, it does make some sense.
Razer, the same company where installing Linux voids the warranty and BIOS and firmware upgrades need to be installed from Windows 10 just so you can have a black and green GUI.
Technically unrelated yes, but the one post seems clearly a follow-up to the other. Normally we downweight those, since avoiding repetition is a principle here:
There must be a USB gadget where you can just set any USB device ID to report to the host, so any infiltrator not wishing to give Razer money can just copy one of their USB IDs and plug the "yes I'm a Razer USB device" into a USB port.
I visited the article's linked tweet and the author's retweeted a product mention called OMG cable, that can do this (a product that looks like a normal USB cable but has things like okeylogging capabilities)
How do companies still think it's acceptable to ignore responsible disclosure in the hopes the problem just goes away?
Even companies with the most automated non-existent customer service know they need to provide separate channels for legal and security so that actually get read by a human.
It could be user or system or prices error rather than malice in this case: the message not getting to the right person (general mail fail, people monitoring that target being unavailable, misidentification as junk, ...) or that person/group missing it assist a sea of other comms. We don't know how much effort was made to chase a response.
Their response after the issue hit social media was far more decent than companies have done in the past:
> I would like to update that I have been reached out by @Razer and ensured that their security team is working on a fix ASAP.
Their manner of communication has been professional and I have even been offered a bounty even though publicly disclosing this issue.
“Prices” should have been “policy” there. Also, “assist” → “amongst”.
Darned auto-carrot strikes again, and I was far too late noticing to be able to edit. Two in a short post, I'm not sure if the slide-keyboard is getting worse over time or my coordination is failing as I age but something seems to be failing more these days than it used to…
They probably just don't read their emails or messages.
Maybe customer support agents are just very badly trained. Or there is a second/third/forth level that investigates those emails, but they are getting too many messages to go through all of them.
I tested this with a Raspberry Pi Pico and it works. The usb device name doesn't even have to match, only the VID and PIDs. I used Adafruits circuitpython and changed these two to 0x1532 and 0x0084. After attaching the Pico to a Windows VW wit all current updates, the Razer Installer comes up and opens a file explorer NT authority/system.
The "open powershell here" option was missing in my VW, I don't think it's on by default. EDIT: Oh I have to hold shift while right clicking! My bad.
In case anyone want's to try this, I've uploaded the compiled firmware for the Pico here: https://anonfiles.com/T9L8F8D9u1/firmware_uf2 (circuitpython with changed VID / PID values)
There are a lot of issues here, but isn't a glaring one the fact that any random file browser window lets you get a shell? Shouldn't this be something for the developer to disable for their particular program if their use case of browsing to choose an install folder in no means requires it? Do the Microsoft APIs even allow for this kind of configuration?
Given they already have admin rights it's basically game over, but not having the option to open a shell would have still reduced the attack surface and required a "real" exploit to do so.
Not really, the windows file browser also lets you create and move files and directories. I guess you could ask to go down the route of not allowing that, but directory creation for one is super common.
It’s not admin, it’s NTAuth\SYSTEM, a much much higher privileged account.
System is the most powerful account in Windows, bypassing almost any system protection in place such as group policy, privilege and permissions, it can talk out of the box to a DC using the machine account password (this is different to a user password), and essentially become uncontested in a network.
If you're looking for a good keyboard I recommend KeyChron. I have used their mechanical keyboards (K4) for gaming and they feel great while I use their slim optical keyboard (K3) for software and general use. Both keyboards are 1/2 to 1/3 of the cost of the mainstream, brand name equivalents and, IMHO, double the quality.
Razer makes a lot of junk. I saw a headset stand with plastic and RGB. I don't know why someone would waste money or a bus port on a 5 dollar part with lights. That said, I do own one of their cameras and it's incredible quality. Corsair and Steel Series are usually my go to's.
Corsair is just as bad with their iCue junk software in my experience. Want to configure the LED colour of your mouse? That'll be a 750MB download currently with iCue 4.
What's even worse is that Windows automatically installs some Corsair software, which spams you with an iCue popup: https://imgur.com/0fKRYLT
Never buying another razer device after I recently found out that the user agreement allows them to collect all the keystrokes from my keyboard and send them to their company -- you know, so I can customize my keys' colors.
It does mention you can turn it off, but still sounds over the top to me.
"Mouse Usage Statistics. Synapse 2.0 offers a feature of collecting mouse usage statistics, specifically keystrokes, mouse-clicks, wheel-rotations and pointer distance travelled. Such collection of statistics may be turned on or off within Synapse and is under your own control."
From my reading of the paragraph it looks like that feature is totally local? A few sentences before they list out all the data they collect and send to razer, but the sentence about keystrokes doesn't give any indication it's sent to them.
They should approach this the complete other way: when you WANT admin rights, you have to insert a special device. Sort of like the cash registers where the manager needs to turn a special key to gain access to refund functionality.
Maybe you build it into specific other devices-- the administrator's favourite keyboard or mouse has the admin token, but the $4.99 Dells they hand out to the hoi palloi don't have it.
The database has several entries for Razernon eof which is the only only I've ever seen rated 10.
I come away with the impression that Razer care even leaa about security than Microsoft did in the early days of XP: an utterly unacceptable state to be in over 20 years later.
surprising that the auto-fetch/install stuff allows for non msi based installers. there's a whole vetting process for drivers, you'd think msi would be a requirement.
why non msi based installers still exist in any form in 2021 is a mystery to me.
Not surprised. I once bought top of the line Razer mechanical keyboard. The software if a steaming pile of crap and a known bug (random spamming of c key when pressing Ctrl + c) makes it unusable. Avoid.
This is part of why I don't use Razer (or Microsoft) products anymore.
Razer's UX is horrible on Windows, which is a shame since that's where most of their customers will use their products. The moment you plug in a Razer device, Windows starts downloading a 300mb installer that will prompt you to install the Razer management software each time you reboot/plug in the device. If you deny it, Windows will keep the installer and ask you next time anyways.
Shouldn't Jonhat disclose it to Microsoft before publishing it as a zero-day? This would really be something that Microsoft can and should block on their side.
It's a bit crazy that Windows downloads and install random drivers when plugging in a device when a non-admin user is logged in and that should be fixed but besides this, they also have a way to block the offending driver for a while. Publishing it as a zero-day instead feels a bit irresponsible
it always wound me up that the SteelSeries 900mb bullshit keyboard bloatware somehow downloaded itself and popped up on a brand new clean Windows install
(even disconnecting the machine from the internet first and disabling the various automatic driver downloads in GPO wasn't enough to stop it...)