1. 32

  2. 19

    It’s worse than that. You can spoof the USB ids of a Razer device with (say) a rooted Android phone & convince Windows to install the Razer drivers. Don’t even need to have the hardware to hand!

    I can’t quite work out which is worse here - Razer for their craptastic software, or Microsoft for letting an ordinary user install software with system level privileges without any kind of Admin permissions being required.

    There will always be some device driver, somewhere that’s exploitable (although this is a particularly egregious example), so allowing anyone to walk up to a Windows machine & trigger the installation of a device driver of their choice seems like a recipe for disaster.

    1. 4

      This is also pretty similar to why PrinterNightmare issue existed - server allowing normal users to bring their own print drivers. I’d be surprised if another problem like that wasn’t discovered this year.

    2. 6

      Razer driver software is trash. Their software is bad and they should feel bad. For years they had a bug where if you plugged in your “gaming keyboard controller” dealie, it would somehow detect whenever you launch Minecraft, and intercept the JVM arguments so it didn’t have enough ram to run properly, and there was nothing you could do but uninstall the fucking thing.

      It’s been sitting in the cupboard ever since.

      1. 4

        it would somehow detect whenever you launch Minecraft, and intercept the JVM arguments so it didn’t have enough ram to run properly,

        holy cow. What on earth were they thinking? Did you figure out why they do that?

        1. 8

          It looks like they were globally setting the environment variable _JAVA_OPTIONS in order to limit their own application’s heap size to 512Mb. Fun!

          1. 3

            No, they weren’t setting the global java options, as a Java dev I would’ve found that and turned it off in 2 minutes, and wouldn’t even remember it being a thing this long later.

            1. 1

              Oh no

              1. 2

                It did work via env, but the insidious part was I couldn’t figure out how it was doing it, or how to work around it.

            2. 3

              ooh, that is terrible engineering. Why would they not have their own env variable? Who thinks it is a good idea to change a global system enviroment variable to make one tool run?

              btw, I am surprised they use java on the desktop, I thought that was basically dead except IDEs/developer tools.

              1. 2

                they use java on the desktop

                not anymore, I have their device and the control software seems to be JRE-free, it’s .net/C#/WPF instead.

            3. 2

              IIRC it was a side-effect of something they were doing to make the controller more useful for minecraft, that wasn’t a problem on machines with less ram than I had at the time… Sorry but it was about 5 or 6 years ago now, so it’s fuzzy :)

            4. 2

              I think it’s all drivers/apps of a certain market segment. To rebind buttons on a Logitech mouse you have the official 400MB application for example. I’m sure it supports other devices and does other things as well… But for a single mouse owner, that doesn’t matter.

            5. 3

              Don’t even get me started on trying to synchronize the RGB lights in my computer… Straight up, Asus’ RGB software triggers Anti-cheat software for some reason. I don’t want to know the shoddy engineering that went into that program.

              1. 3

                When we plugged the Razer device into Windows 10, the operating system automatically downloaded and installed the driver and the Razer Synapse software.

                Can hardware vendors (and MitM) run whatever they want with elevated privilege on users’ Windows boxes by manipulating the driver installer? Please tell me the drivers are pre-approved by Microsoft and verified by a hash or something, otherwise that’s scary…

                1. 6

                  Not only are the drivers vetted by Microsoft; Microsoft does some best-of-breed static analysis on their drivers, which is part of why Windows the kernel in 2021 is honestly rock-solid.

                  I have no idea about the control software, though. That didn’t even used to be a thing, so I’m not sure what the rules are.

                  1. 2

                    Unfortunately static analysis does miss things! So it would be nice to at least prompt and warn people: I’d argue that while Microsoft do a fine job this sort of thing is still partly a design issue.

                    Thanks for the interesting link to the driver verifier, I can see I’m off down a rabbit hole today…

                2. 2

                  I don’t get why they didn’t report it to Microsoft.

                  The issue is that Windows 10 downloads and runs Razer crap.

                  1. 1

                    I just saw the similar story posted by Yogthos a minute too late. This post can be deleted or folded into the other entry as appropriate.