Microsoft has reportedly failed to address deficiencies in Windows security that could allow attackers to compromise machines through bring-your-own-vulnerable-driver (BYOVD) attacks. New research indicates that Redmond has not updated its list of drivers that are blacklisted from being downloaded and installed onto devices since 2019.
According to a new report by ArsTechnica’s Dan Goodin, hypervisor-protected code integrity (HVCI), a tool that, according to Microsoft, protects the Windows kernel, is woefully inadequate. Microsoft said HVCI protects against the onslaught of BYOVD attacks arising from security vulnerability exploitation.
The ArsTechnica report is corroborated by research from ANALGENCE senior vulnerability analyst Will Dormann who, in a Twitter thread, concluded that a March 2020 Microsoft blog titled â€˜Secured-code PCs: A brief showcase of chip-to-cloud security against kernel attacks’ is â€œpromoting a feature that doesn’t exist.â€
Both Dormann and ArsTechnicaOpens a new window said they could download and install a malicious driver on a device where HVCI was enabled. Moreover, the malicious driver in question was listed as one of the drivers in Microsoft’s blocklist.
Drivers are some pieces of software interfacing between different software/hardware components manufactured by several vendors. Drivers basically enable users to establish communication between various programs/devices they use, such as keyboards, printers, etc.
The authenticity of drivers, usually verified using a digital signature, is an essential part of protecting the device and the user considering it needs access to the kernel, the code at the core of any operating system.
An unauthenticated driver vulnerable to exploitation can enable threat actors to take over the machine and thus become a threat to the device and the ecosystem within which it operates.
David Weston, Microsoft’s VP of OS Security and Enterprise, in December 2020, responded to researcher Kevin Beaumont, â€œPSA @surfaceÂ book 3 and all new Surface devices have HVCI and VBS on by DEFAULT which enforces a driver block policy that blocks RWET and other bad drivers.Â Security vendors are going to tell you need to buy their stuff, but Windows has everything you need to block it.â€
More recently, Microsoft’s Jeffrey Sutherland replied to Dormann’s thread dated September 2022. Sutherland tweeted:
Thanks for all the feedback. We have updated the online docs and added a download with instructions to apply the binary version directly. We’re also fixing the issues with our servicing process which has prevented devices from receiving updates to the policy.
â€” Jeffrey Sutherland (@j3ffr3y1974) October 6, 2022Opens a new window
Beaumont, who has previously reported issues with the blocklist, said: â€œIt’s baffling on the customer end too as they’ve been touting this to customers for years as The Solution, apparently unaware it wasn’t.. well.. Working.â€
Earlier this month, Dormann confirmed that Microsoft updated the documentation that attests to the current state of affairs concerning the driver blocklist. How the Windows maker plans to bridge the gap, which remained undetected for three years, remains to be seen.
Some examples of BYOVD attacks include the BlackByte ransomware gang leveraging vulnerabilities in Micro-Star’s MSI AfterBurner 220.127.116.1158 graphics card and AvosLocker ransomware exploiting a vulnerability in Avast’s anti-rootkit driver.
Image source: Shutterstock