https://www.theverge.com/2022/10/16/23405739/microsoft-out-of-date-driver-list-windows-pcs-malware-attacks-years-byovd Skip to main content The Verge logo.The Verge homepage * The Verge homepageThe Verge logo./ * Tech/ * Reviews/ * Science/ * Entertainment/ * MoreMenu The Verge logo.Menu * Microsoft/ * Tech/ * Security Microsoft's out-of-date driver list left Windows PCs open to malware attacks for years Microsoft's out-of-date driver list left Windows PCs open to malware attacks for years / Microsoft pushed updates to its blocklist of malicious drivers to Windows devices, but for some reason, they never stuck By Emma Roth Oct 16, 2022, 3:08 PM UTC| Share this story * * * If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement. [image] Photo by Amelia Holowaty Krales / The Verge Microsoft failed to properly protect Windows PCs from malicious drivers for nearly three years, according to a report from Ars Technica. Although Microsoft says its Windows updates add new malicious drivers to a blocklist downloaded by devices, Ars Technica found these updates never actually stuck. This gap in coverage left users vulnerable to a certain type of attack called BYOVD, or bring your own vulnerable driver. Drivers are the files your computer's operating system uses to communicate with external devices and hardware, such as a printer, graphics card, or webcam. Since drivers can access the core of a device's operating system, or kernel, Microsoft requires that all drivers are digitally signed, proving that they are safe to use. But if an existing, digitally-signed driver has a security hole, hackers can exploit this and gain direct access to Windows. We've already seen several of these attacks carried out in the wild. In August, hackers installed BlackByte ransomware on a vulnerable driver used for the overclocking utility MSI AfterBurner. Another recent incident involved cybercriminals exploiting a vulnerability in the anti-cheat driver for the game Genshin Impact. North Korean hacking group Lazarus waged a BYOVD attack on an aerospace employee in the Netherlands and a political journalist in Belgium in 2021, but security firm ESET only brought it to light late last month. As noted by Ars Technica, Microsoft uses something called hypervisor-protected code integrity (HVCI) that's supposed to protect against malicious drivers, which the company says comes enabled by default on certain Windows devices. However, both Ars Technica and Will Dormann, a senior vulnerability analyst at cybersecurity company Analygence, found that this feature doesn't provide adequate protection against malicious drivers. In a thread posted to Twitter in September, Dormann explains that he was able to successfully download a malicious driver on an HVCI-enabled device, even though the driver was on Microsoft's blocklist. He later discovered that Microsoft's blocklist hasn't been updated since 2019, and that Microsoft's attack surface reduction (ASR) capabilities didn't protect against malicious drivers, either. This means any devices with HVCI enabled haven't been protected against bad drivers for around three years. Microsoft didn't address Dormann's findings until earlier this month. "We have updated the online docs and added a download with instructions to apply the binary version directly," Microsoft project manager Jeffery Sutherland said in a reply to Dormann's tweets. "We're also fixing the issues with our servicing process which has prevented devices from receiving updates to the policy." Microsoft has since provided instructions on how to manually update the blocklist with the vulnerable drivers that have been missing for years, but it's still not clear when Microsoft will start automatically adding new drivers to the list through Windows updates. "The vulnerable driver list is regularly updated, however we received feedback there has been a gap in synchronization across OS versions," A Microsoft spokesperson said in a statement to Ars Technica. "We have corrected this and it will be serviced in upcoming and future Windows Updates. The documentation page will be updated as new updates are released." Microsoft didn't immediately respond to The Verge's request for comment. Join the conversation Most Popular 1. One designer's quest to build the world's greatest desk accessories ----------------------------------------------------------------- 2. Apple reportedly wants to turn the iPad into a smart display with a new dock ----------------------------------------------------------------- 3. The best iOS lock screen widget is made by Google ----------------------------------------------------------------- 4. Razer's Edge is one sharp-looking cloud gaming Android handheld ----------------------------------------------------------------- 5. Nvidia says it's 'unlaunching' the 12GB RTX 4080 after backlash ----------------------------------------------------------------- Verge Deals / Sign up for Verge Deals to get deals on products we've tested sent to your inbox daily. Email (required)[ ]Sign up By submitting your email, you agree to our Terms and Privacy Notice. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. From our sponsor Advertiser Content FromSponsor logo Sponsor thumbnail More from Microsoft * [yH5BAEAAAA][image] How to force quit an app in Windows * Advertiser Content FromSponsor logo The Verge logo. * Terms of Use * Privacy Notice * Cookie Policy * Do Not Sell My Personal Info * Licensing FAQ * Accessibility * Platform Status * Contact * Tip Us * Community Guidelines * About * Ethics Statement The Verge is a vox media network * Advertise with us * Jobs @ Vox Media (c) 2022 Vox Media, LLC. All Rights Reserved