Microsoft says it addressed an issue preventing its vulnerable driver blocklist from being synced to systems running older Windows versions.
This blocklist is designed to block threat actors from dropping legitimate but vulnerable drivers on targets’ systems in Bring Your Own Vulnerable Driver (BYOVD) attacks on HVCI-enabled Windows machines or those running Windows in S Mode.
The flawed drivers are then exploited to escalate privileges in the Windows kernel and execute malicious code, disabling security solutions and taking control of the device.
This is a well-known and popular attack technique amongst threat actors of all skill levels, from ransomware gangs to state-sponsored hacking groups.
Although Microsoft has been advertising its driver blocklist as capable of hardening Windows systems against vulnerable third-party drivers, ANALYGENCE security analyst Will Dormann found that wasn’t the case.
As Dormann discovered, unlike Windows 11 devices, even up-to-date Windows 10 and Windows Server systems were being provided with an outdated list of vulnerable drivers from December 2019, exposing customers who thought they were protected to BYOVD attacks.
Microsoft reluctantly acknowledged his findings and promised to address this issue and update its misleading online support docs.
Thanks for all the feedback. We have updated the online docs and added a download with instructions to apply the binary version directly. We’re also fixing the issues with our servicing process which has prevented devices from receiving updates to the policy.
— Jeffrey Sutherland (@j3ffr3y1974) October 6, 2022
Driver blocklist sync finally fixed
More than a month after Dormann revealed that the list of vulnerable drivers wasn’t kept up to date on Windows 10 and some Windows Server systems, Microsoft has now finally addressed this issue.
“The vulnerable driver list is regularly updated, however we received feedback there has been a gap in synchronization across OS versions,” a Microsoft spokesperson told BleepingComputer.
“We have corrected this and it will be serviced in upcoming and future Windows Updates. The documentation page will be updated as new updates are released.”
Redmond has addressed the driver blocklist sync issue with the October 2022 preview release, which will also ensure that the blocklist on older OS versions will be the same as the up-to-date one on Windows 11 21H2 and later.
Starting with October 2022’s preview release, the blocklist is also enabled by default on all devices. Still, customers can turn it off using the Windows Security app, by turning off HVCI (memory integrity), or disabling Windows in S Mode.
“Blocking drivers can cause devices or software to malfunction. In rare cases, it leads to a stop error,” Microsoft warned on Tuesday. “There is no guarantee that the blocklist will block every driver that has weaknesses.”