Razer Synapse is generally decent software, and the company makes some of the best gaming mice. Despite this, the software has a new zero-day vulnerability that makes it possible for almost anyone to gain administrator rights on a computer simply by connecting a mouse or keyboard.
Razer zero-day vulnerability
The vulnerability was first discovered by a security researcher. Jonhat and made public on Twitter. It was then tested and verified by Computer ringing. The post was able to confirm that the vulnerability exists.
All you need to do is connect a mouse, dongle the razer keyboard. Next, Windows 10 will download and run RazerInstaller as SYSTEM, which grants all privileges. From there, you can use elevated Explorer to open Powershell with a keyboard shortcut. Once this is done, the sky is the limit in terms of what you can do on the computer.
¿Necesita un administrador local y tiene acceso físico?
– Conecta un mouse Razer (o el dongle)
– Windows Update descargará y ejecutará RazerInstaller como SYSTEM
– Abuso de Explorer elevado para abrir Powershell con Shift + clic derechoI tried to contact @Razer, but there are no answers. So here is a gift pic.twitter.com/xDkl87RCmz
– jonhat (@ j0nh4t) 21 August 2021
Apparently, this vulnerability requires the person to be physically close to the computer to connect a Razer peripheral, so it's not the type of threat you should worry about being remotely exploited. Even so, anything that could grant an unauthorized person full access to a computer without permission is something to be taken seriously and fixed quickly.
What is Razer doing?
Fortunately, Razer reached out to the researcher who discovered the vulnerability and mentioned that they are working on a fix as quickly as possible.. Hopefully, an update will be released soon that will solve the problem, since it must be addressed before too many people exploit it.
Generously, Razer offered researcher jonhat a reward even though he publicly disclosed the bug, so the company seems to be grateful that the bug was discovered, allowing Razer to fix it to avoid future vulnerabilities.
