Microsoft has failed to properly protect Windows PCs from malicious drivers for nearly three years a report of Ars Technica. Although Microsoft says its Windows updates add new malicious drivers to a block list downloaded by devices, Ars Technica found that these updates never really crashed.
This coverage gap left users vulnerable to a certain type of attack called BYOVD, or bring your own vulnerable driver. Drivers are the files your computer’s operating system uses to communicate with external devices and hardware, such as a printer, graphics card, or webcam. Because drivers access the core of a device’s operating system, or kernel, Microsoft requires all drivers to be digitally signed, demonstrating that they can be used safely. But if an existing digitally signed driver has a vulnerability, hackers can exploit it and gain direct access to Windows.
As noted by Ars TechnicaMicrosoft uses something called hypervisor-protected code integrity (HVCI) that should protect against malicious drivers, which company says it is enabled standard on select Windows devices. However, both Ars Technica and Will Dormann, a senior vulnerability analyst at cybersecurity firm Analygence, found that this feature does not provide adequate protection against malicious drivers.
In a thread posted on twitter in September, Dormann explains that he managed to download a malicious driver onto an HVCI device, even though the driver was on Microsoft’s block list. He later found that Microsoft’s block list hasn’t been updated since 2019, and that Microsoft’s ASR (Attack Surface Reduction) capabilities also don’t protect against malicious drivers. This means that all devices with HVCI enabled have not been protected from bad drivers for about three years.
Microsoft only commented on Dormann’s findings earlier this month. “We’ve updated the online docs and added a download with instructions to apply the binary directly,” Microsoft Project Manager Jeffery Sutherland said in a reply to Dormann’s tweets. “We’re also resolving issues with our maintenance process that prevented devices from receiving policy updates.” Microsoft has since provided instructions on how to update the block list manually with the vulnerable drivers missing for years, but it’s still not clear when Microsoft will automatically add new drivers to the list through Windows updates.
“The list of vulnerable drivers is regularly updated, but we have received feedback that there is a gap in synchronization between OS versions,” a Microsoft spokesperson said in a statement. Ars Technica. “We have corrected this and it will be maintained in upcoming and future Windows updates. The documentation page will be updated as new updates are released.” Microsoft did not immediately respond to The edge‘s request for comment.
