Microsoft has reportedly failed at protecting Windows against malicious drivers. Although the company has advertised that its Windows Update mechanism blocks vulnerable drivers, a publication has proved otherwise, pointing out that the list of affected drivers was not updated in time. This, in turn, left millions of customers unguarded against a malware infection technique that has been active recently called BYOVD, which stands for “brings your own vulnerable driver.” Let’s understand what happened in detail.
Typically, drivers are tools that help a computer function with peripheral devices such as printers, cameras, and graphics cards, among others. They act as a bridge between the core of the operating system and the device to get a specific task done. In the process, drivers often require access to the kernel, the most sensitive part of an operating system.
To avoid kernel from unauthorised access, Microsoft does not allow drivers from untrusted sources to access it. However, hackers and bad actors are now using “legitimate drivers” that contain memory corruption vulnerabilities to get past the security barriers set by Microsoft. Such drivers have allowed cybercriminals to access the kernel and take control of users’ devices, and this technique of using official-but-compromised drivers is called BYOVD. The method has been in use since 2012.
The report by ArsTechnica mentions that “Microsoft is acutely aware of the BYOVD threat and has been working on defenses to stop these attacks, mainly by creating mechanisms to stop Windows from loading signed-but-vulnerable drivers.” However, the report also mentions that Microsoft’s approach did not work well. Microsoft Windows Update has failed to update the list of compromised or affected drivers, opening a chance for bad actors to misuse them.
Dan Goodin of ArsTechnica and Peter Kalnai, a researcher at ESET, found out that the feature that blocked affected drivers on Microsoft Windows on a PC did not stop a Windows 10 Enterprise system from loading a vulnerable Dell driver.
Senior vulnerability analyst at ANALYGENCE, Will Dormann, discovered that the ASR system Microsoft talks about does not work. The analyst has also concluded that the “driver blocklist for HVCI-enabled Windows 10 machines hadn’t been updated since 2019, and the initial blocklist for Server 2019 only included two drivers.”
The Microsoft recommended driver block rules page states that the driver block list "is applied to" HVCI-enabled devices.— Will Dormann (@wdormann) September 16, 2022
Yet here is an HVCI-enabled system, and one of the drivers in the block list (WinRing0) is happily loaded.
I don't believe the docs.https://t.co/7gCnfXYIys https://t.co/2IkBtBRhks pic.twitter.com/n4789lH5qy
In response, a Microsoft manager took to Twitter to say that the company had updated the online documents and added a download containing instructions to deploy the blocklist updates manually. However, it is important to note that this is not the ultimate solution. Microsoft should roll out the blocklist updates via the Windows Update mechanism to protect all users against the threat.