Microsoft’s own mistake may have left users at risk of malware attacks
Driver blocklist was outdated for years
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Microsoftappears to have finally addressed an issue that could have left Windows users at risk of all kinds of cyberattacks.
A cyberattacking method called Bring Your Own Vulnerable Driver, or BYOVD for short. It revolves around the attackers installing older, legitimate software drivers, known for carrying vulnerabilities, on targetendpoints. Installing a legit driver will not trigger anyantivirusalarms, but will open up the backdoors for attackers to deliver more dangerous payload.
However the researchers aren’t happy with how the company addressed the issue, as it would seem Microsoft only created a one-time solution for a problem that needs continuous support.
No updates
The number of BYOVD attacks rose significantly in the past couple of months, prompting researchers from Ars Technica to investigate if Microsoft’s solutions to the problem (which it dubbed “Secured Core” PCs) work as intended, or not. That’s when they realized the list hadn’t been updated in quite some time.
“But as I was reporting on the North Korean attacks mentioned above, I wanted to make sure this heavily promoted driver-blocking feature was working as advertised on myWindows 10machine,” Ars Technica’s Dan Godin writes. “Yes, I had memory integrity turned on in Windows Security > Device security > Core isolation, but I saw no evidence that a list of banned drivers was periodically updated.”
Installing gaming drivers might leave your PC vulnerable to cyberattacks>This devious malware is able to disable your antivirus>Check out our list of the best identity theft protection services right now
Microsoft dismissed the initial findings as irrelevant, but as other researchers chimed in, it later changed its stance, saying it was “fixing the issues with our servicing process which has prevented devices from receiving updates to the policy,” Godin added.
“The vulnerable driver list is regularly updated, however we received feedback there has been a gap in synchronization across OS versions,” Microsoft was cited saying. “We have corrected this and it will be serviced in upcoming and future Windows Updates. The documentation page will be updated as new updates are released.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
While Microsoft claimed it solved the problem by having a driver blocklist that’s constantly being updated, researchers discovered that the company hasn’t updated the list in roughly three years. In other words, whatever vulnerable drivers were discovered in the last 24 - 36 months hadn;t been added to this blocklist, and threat actors could have used them to unplug already plugged security holes.
Microsoft has since released a new tool that allows Windows 10 users to deploy blocklist updates that were pending for three years. “But this is a one-time update process; it is not yet clear if Microsoft can or will push automatic updates to the driver blocklist through Windows Update,” Godin concluded.
Via:Ars Technica
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics
