Posted on Monday, August 07 2017 @ 13:16 CEST by Thomas De Maesschalck
Security researchers from SecureState found two vulnerabilities in Razer's Synapse software. Spencer McIntyre from SecureState notes the vulnerabilities were disclosed to Razer in March, but unfortunately Razer didn't respond until he buzzed them on Twitter. SecureState shared their findings with Razer and waited the standard 90 days before publicly revealing the Synapse vulnerabilities. Security researchers do this to keep companies sharp and to encourage them to fix patches as soon as possible.
Details about the two vulnerabilities were disclosed mid-July as Razer still hadn't patched the flaws. It took Razer until August 1 to release an update. Exploitation of both vulnerabilities wasn't easy as it required a system that was already compromised via a vulnerability in other software.
Below are details about the two vulnerabilities. The first vulnerability could be exploited to gain root access on already compromised systems. The other one was a less potent flaw that enabled attackers to crash your computer and potentially leak memory.
The one identified by CVE-2017-9769 poses a threat to users as it could be leveraged by an attacker, or malware to fully compromise the users system. Think of a scenario where the user gets some kind of infection by visiting a website or opening a malicious email, this vulnerability could be used to go from the permissions that user has to a full system compromise.Overall not that serious, but a good reminder that companies need to dedicate more time and resources to security.
The second one identified by CVE-2017-9770 poses much less of a threat. It could be used to crash the users’ computer and potentially leak memory. The type of vulnerability it is makes it much more difficult to be used effectively in an attack than the first vulnerability.
