Microsoft’s out-of-date driver record left Windows PCs open to malware assaults for years

Microsoft didn’t correctly defend Windows PCs from malicious drivers for practically three years, in response to a report from Ars Technica. Although Microsoft says its Windows updates add new malicious drivers to a blocklist downloaded by gadgets, Ars Technica discovered these updates by no means really caught.

This hole in protection left customers susceptible to a sure sort of assault known as BYOVD, or deliver your individual susceptible driver. Drivers are the information your laptop’s working system makes use of to speak with exterior gadgets and {hardware}, equivalent to a printer, graphics card, or webcam. Since drivers can entry the core of a tool’s working system, or kernel, Microsoft requires that every one drivers are digitally signed, proving that they’re secure to make use of. But if an present, digitally-signed driver has a safety gap, hackers can exploit this and achieve direct entry to Windows.

As famous by Ars Technica, Microsoft makes use of one thing known as hypervisor-protected code integrity (HVCI) that’s supposed to guard in opposition to malicious drivers, which the company says comes enabled by default on sure Windows gadgets. However, each Ars Technica and Will Dormann, a senior vulnerability analyst at cybersecurity firm Analygence, discovered that this characteristic doesn’t present sufficient safety in opposition to malicious drivers.

In a thread posted to Twitter in September, Dormann explains that he was in a position to efficiently obtain a malicious driver on an HVCI-enabled system, although the motive force was on Microsoft’s blocklist. He later found that Microsoft’s blocklist hasn’t been up to date since 2019, and that Microsoft’s assault floor discount (ASR) capabilities didn’t defend in opposition to malicious drivers, both. This means any gadgets with HVCI enabled haven’t been protected in opposition to unhealthy drivers for round three years.

Microsoft didn’t deal with Dormann’s findings till earlier this month. “We have updated the online docs and added a download with instructions to apply the binary version directly,” Microsoft undertaking supervisor Jeffery Sutherland said in a reply to Dormann’s tweets. “We’re also fixing the issues with our servicing process which has prevented devices from receiving updates to the policy.” Microsoft has since offered directions on how one can manually update the blocklist with the susceptible drivers which have been lacking for years, but it surely’s nonetheless not clear when Microsoft will begin routinely including new drivers to the record by Windows updates.

“The vulnerable driver list is regularly updated, however we received feedback there has been a gap in synchronization across OS versions,” A Microsoft spokesperson stated in a press release to Ars Technica. “We have corrected this and it will be serviced in upcoming and future Windows Updates. The documentation page will be updated as new updates are released.” Microsoft didn’t instantly reply to The Verge’s request for remark.