News, 26.10.2022, 12:00 PM
Microsoft said it has fixed an issue that caused its list of blocked vulnerable drivers to not sync on devices running older versions of Windows.
This list of blocked drivers is intended to prevent hackers from installing legitimate but vulnerable drivers in so-called BYOVD (Bring Your Own Vulnerable Driver) attacks on Windows enabled computers. HVCI or those using Windows in S mode.
Vulnerable drivers can be used by hackers to escalate privileges in the Windows kernel and execute malicious code, disabling security software and taking control of the device.
This is a well-known and popular attack technique among hackers, used by both ransomware groups and state-sponsored ones.
Although Microsoft claimed that its driver block list protects Windows systems from BYOVD attacks, that turned out not to be true.
Analygence security analyst Will Dorman found that, unlike Windows 11 devices, even updated Windows 10 and Windows Server systems had an outdated list of vulnerable drivers as of December 2019, while users thought they were protected from BYOVD attacks.
Microsoft reluctantly admitted that Dorman’s claim was true and promised to fix the problem, which it finally did more than a month after Dorman discovered the problem. Now the list of blocked drivers on older versions of the OS will be the same as updated on Windows 11 21H2 and later releases.
The block list is also enabled by default on all devices. However, users can turn it off using the Windows Security application.
It’s Microsoft emphasized and that blocking drivers may cause problems with the device or software, but also that there is no guarantee that the list will block every vulnerable driver.
Photo by Nothing Ahead from Pexels