In the last couple of weeks, I’ve been writing about the difference between kernel-mode drivers and user mode drivers, as well as the security concerns surrounding kernel mode drivers. In brief, kernel mode drivers operate at a privileged level in order to provide very important, basic or time-sensitive services. Because they operate at a privileged level, and can access other sensitive parts of the operating system, they’re a favorite target of hackers.

Kernel Mode Hacks Can Be Dangerous

Because kernel mode drivers work so closely with protected parts of the operating system, they’re definitely high on the list of targets for hackers. Kernel mode hacks can support rootkits that can give unrestricted access to third parties. Once the system has been compromised in this way, the computer can be used for just about any purpose including serving as part of a botnet. A compromised computer also vulnerable to information theft such as email, login and password information, and financial data.

Beyond rootkits, other hacks like keystroke loggers rely on kernel mode access to intercept sensitive information. Keystroke loggers are a favorite tool of hackers who want to steal information without necessarily disturbing other operations on the computer. Undetected access is probably the most fearsome outcome of a kernel mode hack because computer security can be compromised for a long period of time. Sensitive data, including access privileges, proprietary information and financial information can be accessed, stolen or changed. With unauthorized access, other tools, including rootkits and “back door” tools can be loaded on a compromised computer, where further damage can be done.

Registry hacks pose another serious problem. Anytime information can be entered into the registry, the security and performance of the computer can be compromised. In addition, critical functions that operate at the kernel level – in that privileged environment – can be taken over by third parties, or malicious software either in a way that is obvious or unobvious to the user.

Microsoft recently announced that it would not support WebGL, for example, because the requirements for supporting that approach to accelerated streaming video would compromise its kernel security. Certain other browsers – Firefox, Chrome and to some extent, Safari support WebGL and OpenGL. The biggest danger at the moment is that Firefox and Chrome come with support for this service turned on by default. Other browers that support the graphics acceleration come with the support, but it must be turned on by users. WebGL increases the speed and quality of video playback, but in accommodating the time-sensitive need for video data transfer, allowing access to the kernel can also open up serious vulnerabilities.

In short, the best way to protect yourself from kernel-mode hacks is to keep your system updated. Apply any critical security patches as soon as they come out. Part of the reason for this, as I discussed last week, is that malefactors tend to reverse engineer patches to discover vulnerabilities that they did not previously recognize. Patched systems aren’t vulnerable, but many users simply don’t patch their system in a timely way. By releasing hacks based on newly discovered vulnerabilities, hackers can gain access to systems that have not yet been patched.

Photo Credit: Jez, via Flickr

In my last post, I talked about kernel mode drivers. Most people don’t appreciate what the computer actually does when controlling hardware, so the distinction between Windows drivers that operate at the kernel level and those that operate at the user level is somewhat lost. Unfortunately, the diminished security and increased power of the drivers that operate at the kernel level is precisely what attracts malefactors to the kernel level drivers.

IE9 Still Vulnerable

My reason for bringing this up is to underscore the importance of having up-to-date drivers and up-to-date applications installed on your system. IE9 has a few patches that were released last week to correct some kernel-level vulnerabilities. Unpatched systems will remain vulnerable to these potentially serious hacks.

It’s important to note that when Microsoft releases a patch, bad actors reverse engineer the patch to detect flaws that they can take advantage of. Patched systems are closed, but guess what? There are still plenty of unpatched systems that can be manipulated. Generally, you have less than a month between the time Microsoft releases a patch and the time hacks designed to take advantage of the problem appear.

That’s not a hard-and-fast rule; that’s just an approximation. Really juicy hacks can appear within days or even hours of a patch release – if Microsoft has gotten to the bug before hackers have. If the hackers have gotten there first, Microsoft is in the “reaction” position and your systems are vulnerable until a patch is released.

The problem can be especially critical when the vulnerability involves kernel mode drivers – the drivers that operate at the very core of the operating system. They have the most access, the most power and the fewest restrictions, so a kernel mode driver hack is prized by the bad actors and feared by users and developers alike.

Kernel-mode drivers are most likely to control very time-sensitive data manipulation. Video is a good example. The video display on the computer has to be able to change instantly, without any perceptible time delays. Most video systems, therefore, run kernel-mode drivers. If a kernel-mode driver crashes, the whole operating system can go down with it.

User-level drivers, on the other hand, are forced to go through a number of security levels to get their requests fulfilled. They pass their requests to more privileged parts of the operating system and eventually, the kernel reacts to their request.

User level drivers are slow, but the good part about them is that their overall influence on the system is limited. If a user-level driver crashes, the rest of the system is unimpacted.

Next week, I’ll wrap up the discussion on kernel mode drivers and share some famous (or infamous) kernel mode hacks.

Photo Credit: Alf Melin, via Flickr

Last week, Microsoft issued fixes for Internet Explorer 9, the latest version of the IE browser. The worst kind of security flaw allows a third party to execute command, run programs or even take over the infected computer. One of Microsoft’s patches involves Windows kernel-mode drivers that could be compromised under the right circumstances.

What’s In A Windows Driver?

If you don’t know much about computers (and don’t really want to) this post might not hold much interest to you. In that case, just apply the latest set of patches and go on with your life! If you like knowing how things work, or why things are the way they are, knowing the difference between a kernel-mode driver and a user level driver might give you something to think about.

The Windows operating system is designed to work with different security levels. The level with the most security is the user level. The user level operates in a way that isolates it (for the most part) from other parts of the operating system. That’s good because poorly written code at the user level can’t really have much of a negative impact on the rest of the system. The price for that, however, is reduced performance. Software (including drivers) that operate at the user level are slow, and require a lot of “overhead.” They take time to do what they do because they have a lot of hoops to jump through to access the functions at lower, less secure and more powerful levels of the operating system.

In contrast, drivers that operate at the most powerful level – the kernel level – are fast, but speed also comes with a price. The price of this speed is that a poorly written (or malicious) driver can crash the whole system. Since the kernel is the central part of the operating system., it has the most privileges and does the most important work. It also needs to be protected carefully – not just from malicious individuals, but also from bad programming, which can cause the entire system to malfunction and crash.

Programming that operates at the kernel level must be correct, secure and uncompromised for things to work out right. When bad programming is introduced at the kernel level, it can grant access to malefactors who want to take control of a computer, defeat built-in security measures, and steal sensitive information. The kernel is the fastest and most powerful operating level precisely because it doesn’t have the controls and security measures in place that higher levels of the OS have. The kernel is supposed to be protected by the higher levels of the OS, and its access is supposed to be strictly limited.

In my next post, I’ll talk about the differences between kernel-level drivers and user-level drivers, and take a look at which kinds of hardware drivers operate at each level.

Photo Credit: Henrique Vicente, via Flickr

If you own a PC, you need to do driver maintenance. There’s no way around it, and your computer may not work properly without it! Windows has a built-in method for distributing drivers, but not all manufacturers (like Dell, for example) use it. This means you need to go directly to the manufacturer to get your Windows hardware drivers.

Driver Maintenance Can Be A Drag

There’s usually nothing to remind you to update drivers; you have to do that yourself. If you’re busy, you may forget to take time to maintain your PC. (Not a good approach, by the way.) If you’re not technically savvy, you may not realize that you need to update your own drivers. You may also know that you need to update your drivers, but you may not know how, or which drivers you need.

This all adds up to the strong potential that you’ll miss out on important or critical driver updates that your computer needs to ensure proper operation and security. Sometimes, important operating system updates like service packs can help you remember to update your drivers. Other times, your computer hardware just quits working, or starts behaving badly. Occasionally, a little overzealous file system cleaning can result in the deletion of drivers. You can also accidentally replace a good driver with a bad or incorrect one, and because you’re talking about bits and bytes, a driver – just like any other data on the computer – can become corrupted.

As I talked about last week, most users don’t keep backups of their hardware drivers. That complicates things somewhat when you need to reinstall a hardware driver for whatever reason. If downloading and installing drivers isn’t something you do regularly, you may not know what drivers your system needs, where to find them or how to install them.

That’s why I recommend Driver Detective as a solid approach to Windows hardware driver management. Driver Detective installs quickly and manages all aspects of all of your Windows hardware drivers. Driver Detective searches for the correct driver and driver updates for the drivers your system needs. It downloads, installs, monitors and maintains the drivers, and stores a local backup of the driver in case the installed driver becomes corrupted or lost.

You never have to worry about missing a driver update when you let Driver Detective worry about handling the driver maintenance for your system. More than one million users have downloaded Driver Detective and rely on it to keep their system updated and trouble-free!

Photo Credit: left-hand, via Flickr