According to Ars Technica, Microsoft failed to adequately defend Windows PCs against malicious drivers for over three years. Although Microsoft claims that its Windows updates include new harmful drivers to a blocklist received by devices, Ars Technica discovered that these updates were never applied.
This coverage gap exposed users to a sort of attack known as BYOD or bringing your vulnerable driver. Drivers are files that enable your computer’s operating system to interface with external devices and hardware such as a printer, graphics card, or camera. Because drivers have access to the core of a device’s operating system or kernel, Microsoft mandates that all drivers be digitally signed to prove their safety. However, if an existing, digitally-signed driver has a security flaw, hackers may use it to gain direct access to Windows.
Several of these assaults have already occurred in the wild. Hackers put the BlackByte ransomware in August on a weak driver for the overclocking software MSI AfterBurner. In another recent example, fraudsters exploited a flaw in the anti-cheat driver for the game Genshin Impact. North Korean hacker outfit Lazarus launched a BYOVD assault in 2021 against an aerospace employee in the Netherlands and a political journalist in Belgium, but security company ESET only discovered it late last month.
According to Ars Technica, Microsoft employs something called hypervisor-protected code integrity (HVCI) to guard against rogue drivers, and the firm claims that it is activated by default on some Windows devices. However, according to Ars Technica and Will Dormann, a senior vulnerability researcher at cybersecurity firm Analygence, this functionality does not offer effective protection against rogue drivers.
Dormann says in a September Twitter thread that he was able to successfully download a malicious driver on an HVCI-enabled device despite the driver being on Microsoft’s blocklist. He subsequently determined that Microsoft’s blocklist had not been updated since 2019 and that Microsoft’s attack surface reduction (ASR) capabilities were also ineffective against rogue drivers. This implies that for the last three years, any device with HVCI enabled has not been protected against harmful drivers.
