Microsoft admits the mistake, malicious drivers have been infecting PCs for nearly 2 years

Microsoft made “mea culpa” as it failed to adequately protect Windows PCs from some malicious drivers for nearly three years. Apparently the company has realized that it has failed in a key aspect of Windows security, leaving users open to a mode of infection by malware that especially in recent months has been particularly effective.

The problem arose when the Redmond company confirmed that Windows Update would automatically add new software drivers to a block list designed to thwart a known malware infection system. For those who don’t know, we remind you that drivers are installed and used by the computer’s operating system to communicate with external devices and hardware, such as a printer, graphics card or webcam, and much more. Since drivers can access every section of a device’s operating system, even the most internal ones, such as the kernel, Microsoft requires a digital signature that proves that they are safe. But what if a driver is signed and still has a security flaw? In that case, hackers can exploit it and attack the operating system in which it is installed.

One such technique is known as BYOVD and allows an attacker with administrator privileges to bypass Windows kernel protections. The attack is as simple as it is effective, as there is no need for an exploit written from scratch, but in this case it is sufficient to install one of the many third-party drivers with known vulnerabilities. Once done, the hacker is able to exploit these vulnerabilities to gain instant and direct access to every part of Windows, even the most hidden ones.

Although Microsoft claims its Windows updates add new malicious drivers to a blocklist downloaded from devices, Ars Technica found that these updates were never actually blocked and that gap in coverage left users vulnerable.

Attacks of this kind are known and there are several similar cases discovered in recent times, for example the one related to the BlackByte ransomware identified in August in a driver used by the overclocking utility, MSI AfterBurner, or the one related to the vulnerability in the anti-cheat driver of the game Genshin Impact, but there are many similar cases and very often they are identified only afterwards.

Yet the crux of the matter is that Microsoft should have protected the system thanks to the hypervisor (HVCI), a protection system that the company says is enabled by default on some Windows devices. However, be it Ars Technica which Will Dormann, senior vulnerability analyst at cybersecurity firm Analygence, found that this feature does not provide adequate protection against malicious drivers.

Dormann, for example, told Twitter that he was able to successfully download a malicious driver to an HVCI-enabled device, even though it was on Microsoft’s blocklist. Upon further investigation, he later discovered that the blocklist had not been updated since 2020 and that malicious drivers managed to go unnoticed. This means everyone devices with HVCI enabled have not been protected from malicious drivers for about three years.

The first feedback of this type arrived in September but Microsoft did not comment on anything until a few days ago, when the project manager, Jeffery Sutherland, in response to Dormann’s tweet wrote that.

“We have updated the documents online and added a download with instructions to apply the binary version directly. We are also addressing issues with our maintenance process that prevented devices from receiving policy updates.”

Microsoft has since provided instructions on how to manually update the blocklist with vulnerable drivers that have been missing for years, but it’s still unclear when Microsoft will start automatically adding new drivers to the list via Windows Updates. Then came a comment on the publication of Ars Technica from a company spokesperson, who said.

“The list of vulnerable drivers is updated regularly, however we have received feedback that there has been a gap in synchronization between OS versions. We have corrected this problem and it will be served in future and future Windows updates. The documentation page will be available. updated as new updates are released.

Therefore, precise timing is not provided, but apparently the decisive intervention will not be as immediate as one would like. We will talk about it again if new details emerge on the affair.