According to a report by Ars Technica, Microsoft has failed to adequately protect Windows PCs from malicious drivers for nearly three years. Despite the company claiming that Windows updates add new malicious drivers to a blocklist downloaded from devices, Ars Technica found this never was the case. Let’s go then to understand what really happened.
Microsoft: Windows PCs at the mercy of malware for a mistake
Due to a gap in Windows PC updates, Microsoft has left users vulnerable to a type of attack called BYOVD. And it ended up making the drivers easily attackable. Because drivers can access a device’s operating system core or kernel, Microsoft always requires that they be digitally signed, demonstrating that they are safe to use. But if a digitally signed driver shows up a security breach, hackers can exploit it and gain direct access to Windows. For this very reason, Microsoft uses the so-called “hypervisor protected code integrity” (HVCI) which is supposed to protect against malicious drivers. However, both Ars Technica and Will Dormannvulnerability analyst, found that this functionality it does not provide protection appropriate against malicious drivers.
Thanks for all the feedback. We have updated the online docs and added a download with instructions to apply the binary version directly. We’re also fixing the issues with our servicing process which has prevented devices from receiving updates to the policy.
— Jeffrey Sutherland (@j3ffr3y1974) October 6, 2022
In a thread posted on Twitter in September, Dormann explained that he was able to successfully download a malicious driver on an HVCI-enabled device, even if the driver was on Microsoft’s blocklist. And only later did he discover that the Microsoft’s blocklist was out of date since 2019. And that Microsoft’s attack surface reduction (ASR) capabilities hadn’t protected devices for a full three years. “We have updated the documents online and added a download with instructions to apply the binary version directly,” said the Microsoft project manager Jeffery Sutherland in a reply to Dormann’s tweets. “We are also addressing issues with our maintenance process that prevented devices from receiving updates.”
Since the beginning of the month, Microsoft has also provided instructions on how to manually update the blocklist with vulnerable drivers that have been missing for years. But it’s still unclear when Microsoft will start adding new drivers to the list automatically via updates for Windows PCs. “The list of vulnerable drivers is updated regularly, however we have received feedback that there has been a gap in synchronization between OS versions,” a spokesperson said. “We have corrected this problem and it will be fixed in the next and future Windows updates.”