Razer is a familiar name on our best gaming mouse and best gaming keyboard lists, but it turns out these serpentine peripherals have a rather unnerving hiden talent: simply plugging one in, and installing the Razer Synapse software, is apparently enough to grant admin privileges on any Windows 10 or Windows 11 PC.
Twitter user jonhat discovered the exploit, which was easily replicated by Bleeping Computer. The issue is largely down to how Windows Update automatically downloads the Synapse software: because Windows Update has SYSTEM (i.e. admin) privileges, it grants that same level of access to Synapse.
Where things can really get dodgy is during Synapse installation. You, or someone trying to mess with your PC, can open a PowerShell window from within the installer – and because Windows effectively gave Synapse admin powers, this gives the PowerShell window admin powers too. Thanks to that daisy chain of iffy security, anyone who knows how to run commands in PowerShell will essentially have admin control over the PC.
While there’s something darkly funny about a plastic RGB rodent bringing the downfall of someone’s otherwise locked-down rig, there’s obviously scope here for some genuinely nasty malpractice, from deleting important files to installing malware.
Need local admin and have physical access?— jonhat (@j0nh4t) August 21, 2021
- Plug a Razer mouse (or the dongle)
- Windows Update will download and execute RazerInstaller as SYSTEM
- Abuse elevated Explorer to open Powershell with Shift+Right click
Tried contacting @Razer, but no answers. So here's a freebie pic.twitter.com/xDkl87RCmz
That said, it seems like this is a fairly easy exploit to protect yourself against. For one thing, it’s reliant on the baddie having physical access to your PC, and frankly if they’ve got to that stage in the first place, there are a lot worse things they could do to it. If you are worried about leaving your PC unattended, though, you could always disable your system’s USB ports via Device Manager, then re-enable them once you return.
I’m also going to start telling people this is the reason I got rid of my last Razer mouse, and that it was absolutely not because I broke it on my desk during a miserable Deep Rock Galactic session like a giant baby man.