A bug in the Synapse software of gaming peripheral maker Razer can allow a user to gain administrative privileges on Windows 10 devices just by plugging in a Razer-branded mouse or keyboard.
Tech site Bleeping Computer said in a report on Sunday, August 22, that the bug was disclosed by security researcher jonhat on August 21, after the company did not initially give a response regarding the discovered issue with the software.
Getting system privileges
System privileges are the user rights in Windows, allowing the user to run any command on the Windows operating system.
Doing so would thus allow a malicious actor to install what they want on a device, including things like malware.
Razer Synapse is a software used to configure Razer devices.
Jonhat said the issue would allow anyone with a Razer mouse or associated dongle to “abuse elevated Explorer to open Powershell with Shift+right click” during the process.
Bleeping Computer confirmed the issue during its own testing, but noted it was a local privilege escalation vulnerability, which meant a user needed physical access to the computer as well as a Razer device – which can cost somewhere around $20 at the bare minimum to buy – to exploit the vulnerability.
Razer has since gone on to acknowledge jonhat’s tweet and said was working to fix the vulnerability. It also offered Jonhat a bounty for the disclosure.
The issue was also noted and reported to Razer earlier by Lee Christensen (@tifkin_).
His tweets and reporting were done earlier, so the issue has been known, and in this case acknowledged, by Razer at least as far back as July 30.
In the meantime, this vulnerability begs the question: what other devices might possibly exploit the same issue?
Security researchers are likely investigating, but tweets online point to even an Android phone with the right tweaks being enough to get the exploit – or something similar to it, given the nature of Windows Update – to work. – Rappler.com