Microsoft failed to properly protect Windows PCs from malicious drivers for nearly three years, according to a report from the Ars Technica. Although Microsoft says its Windows updates add new malicious drivers to a block list downloaded from devices, Ars Technica I found that these updates never actually stuck.
This gap in coverage left users vulnerable to a particular type of attack called BYOVD, or bring your own vulnerable driver. Drivers are the files that your computer’s operating system uses to communicate with external devices and hardware, such as a printer, graphics card, or webcam. Because drivers access the core of the device’s operating system, or kernel, Microsoft requires that all drivers be digitally signed, which proves that they are safe to use. But if an existing, digitally signed driver has a security hole, hackers can exploit it and gain direct access to Windows.
As noted by Ars Technica, Microsoft uses something called hypervisor-protected code integrity (HVCI) to protect against malicious drivers, which the company says is enabled by default on certain Windows devices. But both Ars Technica and Will Dorman, senior vulnerability analyst at cybersecurity company Analysisnce, found that this feature did not provide adequate protection against malicious drivers.
IN thread posted on Twitter in September, Dorman explains that he was able to successfully download a malicious driver to an HVCI-enabled device, even though the driver was on Microsoft’s block list. He later discovered that Microsoft’s block list had not been updated since 2019, and that Microsoft’s Attack Surface Reduction (ASR) capabilities also did not protect against malicious drivers. This means that all HVCI-enabled devices have not been protected from bad drivers for about three years.
Microsoft did not address Dorman’s findings until earlier this month. “We’ve updated the online documentation and added a download with instructions for directly applying the binary,” Microsoft project manager Jeffrey Sutherland said in response to Dorman’s tweets. “We are also fixing issues with our servicing process that prevented devices from receiving policy updates.” Microsoft has since provided instructions on how to manually update the blocked driver list with the vulnerable drivers that have been missing for years, but it still hasn’t clear when Microsoft will automatically start adding new drivers to the list via Windows Updates.
“The list of vulnerable drivers is updated regularly, but we have received feedback that there is a gap in the synchronization between versions of the operating system,” a Microsoft spokesperson said in a statement to Ars Technica. “We have fixed this and it will be serviced in upcoming and future Windows updates. The documentation page will be updated as new updates are released.” Microsoft did not immediately respond On the edgerequest for comment.