Razer mice could let strangers take over your Windows 10 PC

UPDATE, 8/23: A Razer spokesperson got in touch with Tom's Guide to issue the following statement:

"We were made aware of a situation in which our software, in a very specific use case, provides a user with broader access to their machine during the installation process. 

"We have investigated the issue, are currently making changes to the installation application to limit this use case, and will release an updated version shortly. The use of our software (including the installation application) does not provide unauthorized third-party access to the machine. 

"We are committed to ensuring the digital safety and security of all our systems and services, and should you come across any potential lapses, we encourage you to report them through our bug bounty service, Inspectiv: https://app.inspectiv.com/#/sign-up."

ORIGINAL: Razer makes some excellent gaming mice, from the versatile Razer DeathAdder V2, to the diminutive Razer Orochi V2. But while the peripherals themselves are beyond reproach, the software could leave a big hole in your PC’s defenses. A security researcher recently discovered that he could trick the Razer Synapse software into thinking he had full admin access in Windows 10, and the trick is easy to replicate. The bad news is that there’s no fix yet, but the good news is that the risk for most users seems minimal.

Information comes from Windows enthusiast site MSPoweruser, reporting on a Twitter thread from security researcher “jonhat.” In a short video, jonhat demonstrates an escalation-of-privilege flaw inherent to Razer mice. If exploited, this flaw lets a malefactor access any Windows 10 PC as an administrator, rather than a limited user. Once that happens, they could steal files or install malware.

• Get the best gaming mouse for your rig
• Also try the best gaming keyboards
• Plus: New PS5 model now on sale — here’s what’s changed

Before we get into the specifics of how the vulnerability works, there are two important pieces of information to keep in mind. First and foremost, Razer does not yet have a patch for this flaw. The company patches its Synapse software frequently, so expect an update soon. Until then, however, it’s up to users to protect their own machines.

That brings us to the second point: the flaw is relatively impractical to exploit in everyday circumstances. To gain admin access via a Razer mouse, a malefactor needs physical access to a PC. That means a stranger would need to be in your home or your workplace, unsupervised, and have a Razer mouse or dongle handy. This could admittedly happen in a shared workplace, but it would take a lot of effort and coordination to pull off.

In any case, here’s how the flaw works: First, a malefactor plugs a Razer mouse into a Windows 10 PC. Assuming that Synapse isn’t already installed, the mouse will run an EXE called “RazerInstaller.” The vulnerability lies in the fact that RazerInstaller runs as SYSTEM rather than an individual user account.

As such, a user can pick a location to install Synapse. Once Windows Explorer is open, they can then run Powershell and use the Command Prompt to do, well, almost anything. A savvy Command Prompt user can copy files, install software, or just flat-out wipe a PC.

Technically speaking, you don’t even need a Razer mouse to replicate this flaw. Simply creating a USB drive that mimics a Razer mouse would suffice. As long as the RazerInstaller EXE runs from the USB drive, the rest of the vulnerability is relatively easy to exploit.

Luckily, Razer Synapse updates automatically by default, so once Razer puts out a patch, most users should get it without any extra effort. Microsoft can also remove the faulty driver from Windows Update, and replace it with a newer one when available. In the meantime, however, make sure you keep your PC — and your Razer mice — to yourself.