Windows co-installers, sneaky bloatware, and local privilege escalation

On 2021-08-21, security researcher @j0nh4t highlighted a local privilege escalation technique for Windows 10 which is about as simple as it gets. Plug in a Razer mouse, get an elevated PowerShell:

Lots of people have noted that this isn’t limited to Razer by any means, nor is it limited to mice. I own one Razer device – a Razer Kiyo webcam – and it is also vulnerable, because Razer decided to let the user select where the software should be installed using a UI with SYSTEM privileges. Nice.

Various other people have pointed out, not without cause, that this isn’t just a Razer problem. Razer should have listened to @j0nh4t, but this LPE, which requires almost no skill or knowledge to use, wouldn’t have been possible without Microsoft’s free and easy approach to installing stuff so it just works (PrintNightmare, anyone?)

Windows, could you please just not do this?

Still more people have suggested that the only mitigation available looks like this:

  1. Keeping all your drivers up to date. Good call, but I don’t want to install the Razer bloatware and I never will, so it’s going to prompt me every time even if the drivers are up to date.
  2. Controlling who has physical access to your machine. If someone’s in my house accessing my computer without my consent, I have a bigger issue anyway.
  3. Err, that’s it. Really? No config switch to prevent Windows rolling out the red carpet and insisting we install bloatware with wide-open vulnerabilities?

Happily, there is a better way. Will Dormann, Vulnerability Analyst at the CERT/CC, points out that it is possible to tell Windows 10 that actually, no, you don’t want stuff automatically running and installing just because you’ve plugged in a mouse:

I tested it. Works for me. Here’s the .reg:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Installer]
"DisableCoInstallers"=dword:00000001Code language: JavaScript (javascript)

Learning how to learn

When another Twitter user asked, Will Dormann was also kind enough to explain how he discovered this one simple trick to stop Windows from being so annoying while simultaneously making it so easy to compromise a machine:

Freedom, security, and convenience

Are there downsides to preventing automatic installation/running of whatever software has made it through the clearly lax Microsoft and vendor review processes? Sure, you will sacrifice some convenience here:

It is important to note that making this change will block a device’s configuration software from automatically being installed. Instead, you will need to download and install it from the vendor’s site manually.

Lawrence Abrams, BleepingComputer

I’m very much OK with that. Perhaps you are too.

Leave a Reply