As reported by BleepingComputer, a zero-day flaw in the Razer Synapse software grants Windows admin privileges to anyone who plugs their Razer mouse or keyboard into a Windows 10 laptop or desktop.
Best gaming laptop in 2021How to Prepare Your PC for Windows 11
Used by more than 100 million users, Razer Synapse is a program that lets you customize your gaming accessories. It was made so you could set macros, assign buttons, and change your RGB lighting — now it can help a bad actor effectively gain control of someone’s computer. The software vulnerability was discovered by security researcher jonhat who disclosed the bug on Twitter after informing Razer and not receiving a response. According to jonhat, after a Razer mouse is plugged in, the PC in use will automatically download and execute the Razer Synapse software. Because it is launched by a process with SYSTEM privileges, those privileges are inherited by Synapse. As you’re manually choosing which folder to install the Synapse software in, there is a way to open a PowerShell window. The software install with heightened privileges will then hand over those privileges to PowerShell during the download process. At this point, the Razer mouse owner could execute any desired command and install malicious programs. Even more concerning is that Will Dormann, a vulnerability analyst at CERT/CC, believes similar bugs will be found in other software that use the Windows plug-and-play process.
Razer working on a fix
The zero-day vulnerability spread like wildfire across social media before getting the attention of Razer. The company told jonhat that it is working on a fix, though no timeline was given for when it’ll arrive. Although the vulnerability was publicly disclosed, Razer offered jonhat a bounty for bringing this troubling flaw to their attention.