quotes Ars Technica as saying that Microsoft has not been able to properly protect Windows PCs from malicious drivers in the past three years. Although Microsoft says its Windows Update adds new malicious drivers to the downloaded block lists depending on the device, these lists do not work.
Due to the gap in equipment, users are very vulnerable to "bring your own vulnerable driver" (BYOVD) attacks.
Driver is a file used by the computer operating system to communicate with external devices and hardware such as printers, graphics cards or webcams. Because drivers can access the core of the device's operating system or kernel, Microsoft requires all drivers to be digitally signed to prove that they are safe to use. However, if an existing digital signature driver has a security vulnerability, hackers can exploit this vulnerability to access directly.
There is currently evidence that hackers use this method to launch attacks. In August, hackers started with MSIAfterBurner, a utility for overclocking, and installed BlackByte ransomware on the flawed driver. Another recent incident of such a thing is a vulnerability in the anti-cheating driver of the game Genshin Impact.
North Korean hacker group Lazarus launched a BYOVD attack on an aerospace employee of Netherlands and a political journalist of Belgium in 2021, but security company ESET was not exposed until the end of last month.
As Ars Technica points out, Microsoft uses something called hypervisor protection code integrity (HVCI) that should prevent malicious drivers, which the company says is enabled by default for certain Windows devices.
However, both Ars Technica and Will Dormann, a senior vulnerability analyst at Analygence, a cybersecurity company, found that this feature does not provide adequate protection for malicious drivers.
was posted to Twitter in September, Dormann explained that he was able to successfully download malicious drivers on HVCI-enabled devices, even if the driver was on Microsoft's block list.
He later discovered that Microsoft's blacklist had not been updated since 2019, and Microsoft's attack surface reduction (ASR) feature is not resistant to malicious drivers. This means that any HVCI-enabled device has not been protected by bad drivers for about three years.
Microsoft fixed this issue earlier this month. "We have updated the online documentation and added a download with instructions for directly applying the install package version. We are also addressing issues in our service process that prevents the device from receiving policy updates."
A Microsoft spokesperson said: "The list of vulnerable drivers is updated regularly, but the feedback we have received is that there is a gap in synchronization between operating system versions. We have corrected this issue and will be available in upcoming and future Windows updates. The documentation page will be updated as new updates are released."
