Microsoft failed to safeguard Windows PC users from malicious drivers since 2019, according to a report. Computers use drivers to communicate with external devices such as hard disks, cameras, printers, and smartphones. Each driver is required to be digitally signed to ensure that it is safe for use. If, however, an existing digitally signed driver has a security flaw, it could be easily exploited by hackers. This has reportedly caused people to be exposed to a type of cyberattack called Bring Your Own Vulnerable Driver (BYOVD) that grants hackers direct access to the PCs running on Windows, by exploiting known flaws in driver software.
Microsoft uses hypervisor-protected code integrity (HVCI) as a security measure against such attacks. Citing senior vulnerability analyst Will Dormann, ArsTechnica reports that this security tool did not properly protect users against being infected through compromised drivers.
Last month, Dormann posted a Twitter thread on how he was able to download a malicious driver on a Microsoft HVCI-enabled device, which should have been blocked. He claims that the blocklist had not been updated since 2019, implying that users were not protected by Microsoft from these drivers for years.
What’s concerning is that regardless of how many Windows Updates happen, the code integrity policy on a Win10 machine is at least 2 years old.
That is, while HVCI-enabled systems will get the benefit of automatic driver blocking, the list never updates, so will be quite old! pic.twitter.com/pd8bhHNOLo
— Will Dormann (@wdormann) September 21, 2022
Earlier this month, Microsoft project manager Jeffery Sutherland replied to Dormann’s tweets and revealed additional protectional measures the company had recently undertaken to mitigate the issue. “We have updated the online docs and added a download with instructions to apply the binary version directly,” Sutherland tweeted.
Thanks for all the feedback. We have updated the online docs and added a download with instructions to apply the binary version directly. We’re also fixing the issues with our servicing process which has prevented devices from receiving updates to the policy.
— Jeffrey Sutherland (@j3ffr3y1974) October 6, 2022
Microsoft told ArsTechnica that it adds malicious drivers to a blocklist, that receives regular updates. “The vulnerable driver list is regularly updated, however we received feedback there has been a gap in synchronization across OS versions. We have corrected this and it will be serviced in upcoming and future Windows Updates. The documentation page will be updated as new updates are released,” the company said.
Meanwhile many cases of BYOVD attacks have made it to the headlines in recent times. Recently, cybercriminals exploited a vulnerability in the anti-cheat driver for the game Genshin Impact. Last year, North Korean hacking group Lazarus used a BYOVD attack on an aerospace employee in the Netherlands.