Microsoft appears to have finally fixed a driver issue that left some Windows Server and 10 systems exposed to vulnerable drivers.
Redmond has been dogged by criticism that its hypervisor-protected code integrity (HVCI) tool, much-hyped by Microsoft over the past two years as a key way to protect users from bring-your-own-vulnerable-driver (BYOVD) attacks, was not fulfilling its promise. This month it emerged that the list of vulnerable drivers the tool was supposed to be blocking was outdated on machines running on mnay pre-Windows 11 operating systems, including those with Windows 10 and Windows Server.
This left the door open to BYOVD attacks, in which malicious drivers sail through approval via the Windows Hardware Compatibility Program. Once installed, it gives attackers escalated privileges that could grant control of the system, run malicious code, and disarm security tools.
According to Microsoft, attacks based on vulnerable drivers have been used in a range of malware onslaughts, from RobbinHood, GrayFish, and Sauron to malware campaigns run by Strontium, a Russian-backed threat group.
Fixed it, sort of
In an update on Tuesday, Microsoft wrote that with the Windows 11 2022 update, the vulnerable driver blocklist is enabled by default for all devices. It’s enforced through HVCI, Smart App Control, or when S mode is active.
“The blocklist is updated with each new major release of Windows,” Microsoft explained. “We plan to update the current blocklist for non-Windows 11 customers in an upcoming servicing release and will occasionally publish future updates through regular Windows servicing.”
For Windows 10 devices, the blocklist was an optional feature, but starting with the October 2022 preview release, it will be enabled by default on all devices.
“This October 2022 preview release addresses an issue that only updates the blocklist for full Windows OS releases,” Microsoft wrote. “When you install this release, the blocklist on older OS versions will be the same as the blocklist on Windows 11, version 21H2 and later.”
In a blog post in 2020, Microsoft listed HVCI as a strong hardware-backed security feature to protect Windows machines and boasted of a way to keep the blocklist updated on systems.
However, as recently discovered, the blocklist wasn’t updating for all Windows systems, a discovery that was confirmed by Will Dormann, senior vulnerability analyst at ANALYGENCE.
Dormann was able to load a malicious driver known as WinRing0 onto a system that had the HVCI tool enabled. He later found that the driver blocklist for Windows 10 machines with HVCI were using a blocklist from 2019. There had been no updates for Windows 10 systems for three years.
Earlier this month, Microsoft acknowledged Dormann’s findings and said it was updating the online support documents along with adding a download with instructions for applying the binary version directly.
“We’re also fixing the issues with our servicing process which has prevented devices from receiving updates to the policy,” Microsoft’s Jeffrey Sutherland wrote in a tweet. ®