According to a report by Ars Technica, Microsoft failed to adequately defend Windows PCs against rogue drivers for almost three years. Microsoft claims that its Windows updates add newly discovered harmful drivers to a blocklist that devices download, but Ars Technica discovered that these upgrades never ever took effect.
Users were exposed to a specific kind of attack known as BYOVD, or bring your own vulnerable driver, because of this coverage gap. The operating system of your computer communicates with hardware such as a printer, graphics card, and webcam through files called drivers. Microsoft mandates that all drivers be digitally signed, demonstrating their safety for use, as drivers have access to the kernel, the heart of a device’s operating system.
We’ve already seen several of these attacks carried out in the wild. In August, hackers installed BlackByte ransomware on a vulnerable driver used for the overclocking utility MSI AfterBurner. Another recent incident involved cybercriminals exploiting a vulnerability in the anti-cheat driver for the game Genshin Impact. North Korean hacking group Lazarus waged a BYOVD attack on an aerospace employee in the Netherlands and a political journalist in Belgium in 2021, but security firm ESET only brought it to light late last month.
As noted by Ars Technica, Microsoft uses something called hypervisor-protected code integrity (HVCI) that’s supposed to protect against malicious drivers, which the company says comes enabled by default on certain Windows devices. However, both Ars Technica and Will Dormann, a senior vulnerability analyst at cybersecurity company Analygence, found that this feature doesn’t provide adequate protection against malicious drivers.
In a thread posted to Twitter in September, Dormann explains that he was able to successfully download a malicious driver on an HVCI-enabled device, even though the driver was on Microsoft’s blocklist. He later discovered that Microsoft’s blocklist hasn’t been updated since 2019 and that Microsoft’s attack surface reduction (ASR) capabilities didn’t protect against malicious drivers, either. This means any devices with HVCI enabled haven’t been protected against bad drivers for around three years.
Microsoft didn’t address Dormann’s findings until earlier this month. “We have updated the online docs and added a download with instructions to apply the binary version directly,” Microsoft project manager Jeffery Sutherland said in a reply to Dormann’s tweets. “We’re also fixing the issues with our servicing process which has prevented devices from receiving updates to the policy.” Microsoft has since provided instructions on how to manually update the blocklist with the vulnerable drivers that have been missing for years, but it’s still not clear when Microsoft will start automatically adding new drivers to the list through Windows updates.
“The vulnerable driver list is regularly updated, however, we received feedback there has been a gap in synchronization across OS versions,” A Microsoft spokesperson said in a statement to Ars Technica. “We have corrected this and it will be serviced in upcoming and future Windows Updates. The documentation page will be updated as new updates are released.” Microsoft didn’t immediately respond to The Verge’s request for comment.
