Microsoft seems to have finally solved a problem that may have left Windows users exposed to all kinds of cyber attacks.
A cyberattack method called Bring Your Own Vulnerable Driver, BYOVD for short. It revolves around attackers installing legacy, legitimate software drivers known to carry vulnerabilities in target endpoints (opens in a new tab). Installing a legitimate driver will not start any anti-virus program (opens in a new tab) alarms, but will open the back door for attackers to deliver a more dangerous payload.
However, researchers are not satisfied with the way the company solved the problem, as Microsoft appears to have only created a one-off solution to a problem that requires ongoing support.
No updates available
The number of BYOVD attacks has increased significantly in the last few months, prompting Ars Technica researchers to investigate whether the solutions to Microsoft’s (which the company calls “Secured Core” computers) are working as intended or not. It was then that they realized that the list had not been updated in a long time.
“But when I reported on the North Korean attacks mentioned above, I wanted to make sure that this heavily promoted driver blocker worked as advertised on my Windows 10 PC,” writes Dan Godin of Ars Technica. “Yes, I had Memory Integrity turned on in Windows Security> Device Security> Core Isolation, but I didn’t see any evidence that the list of banned drivers was updated periodically.”
Microsoft dismissed the preliminary findings as irrelevant, but when other researchers got involved, it later changed its position, saying that it “fixes issues with our servicing process that prevents devices from receiving policy updates,” Godin added.
“The list of vulnerable drivers is updated regularly, but we received feedback that there was a synchronization gap between operating system versions,” Microsoft said. “We’ve fixed this and will be serviced in upcoming and future Windows updates. The documentation page will be updated as new updates are released. “
While Microsoft claimed to have solved the problem by constantly updating the driver blocking list, researchers found that the company had not updated the list in about three years. In other words, any vulnerable drivers that were detected in the last 24-36 months were not added to this block list, and cybercriminals could use them to fix already clogged vulnerabilities.
Since then, Microsoft has released a new tool that allows Windows 10 users to deploy blocklist updates that have been pending for three years. “But this is a one-time update process; it is not yet clear whether Microsoft can or will send automatic updates to the list of blocked drivers via Windows Update, ”concluded Godin.
By: Ars Technica (opens in a new tab)