Microsoft has failed to adequately protect Windows PCs from malicious drivers for nearly three years, according to a report by Ars Technique. Although Microsoft claims its Windows updates add new malicious drivers to a blocklist downloaded from devices, Ars Technique I found that these updates were never actually blocked.
This gap in coverage has left users vulnerable to some type of attack called BYOVD, or carry their own vulnerable driver. Drivers are files used by your computer’s operating system to communicate with external devices and hardware, such as a printer, graphics card, or webcam. Because drivers can access a device’s operating system core or kernel, Microsoft requires all drivers to be digitally signed, demonstrating that they are safe to use. But if an existing digitally signed driver has a security flaw, hackers can exploit it and gain direct access to Windows.
As noted by Ars Technique, Microsoft uses something called hypervisor protected code integrity (HVCI) which is supposed to protect against malicious drivers, which the company says is enabled by default on some Windows devices. However, both Ars Technique and Will Dormann, senior vulnerability analyst at cybersecurity firm Analygence, found that this feature does not provide adequate protection against malicious drivers.
In a thread posted on Twitter In September, Dormann explains that he was able to successfully download a malicious driver to an HVCI-enabled device, even though the driver was on Microsoft’s block list. He later found that Microsoft’s blocklist hasn’t been updated since 2019 and that Microsoft’s attack surface reduction (ASR) capabilities didn’t even protect against malicious drivers. This means that all devices with HVCI enabled have not been protected against bad drivers for about three years.
Microsoft didn’t address Dormann’s findings until earlier this month. “We have updated the documents online and added a download with instructions to apply the binary version directly,” Microsoft project manager Jeffery Sutherland he said in a reply to Dormann’s tweets. “We are also addressing issues with our maintenance process that prevented devices from receiving policy updates.” Microsoft has since provided instructions on how to manually update the blocklist with vulnerable drivers that have been missing for years, but it’s still unclear when Microsoft will start automatically adding new drivers to the list via Windows Updates.
“The list of vulnerable drivers is updated regularly, however we have received feedback that there has been a gap in synchronization between OS versions,” a Microsoft spokesperson said in a statement to Ars Technique. “We have corrected this issue and it will be needed in future and future Windows updates. The documentation page will be updated as new updates are released. Microsoft did not respond immediately The borderthe request for comment.