It looks like Microsoft has finally addressed an issue that could have left Windows users at risk of all kinds of cyberattacks.
A method of cyber attack called Bring Your Vulnerable Driver, or BYOVD for short. It is about attackers installing older, legitimate software drivers, known to carry vulnerabilities, on the target endpoints (Opens in a new tab). Installing a legitimate driver will not run any software Antivirus (Opens in a new tab) alerts, but it will open the back doors for attackers to deliver a more dangerous payload.
However, researchers aren’t happy with the way the company handled the problem, as Microsoft appears to have come up with only a one-time solution to a problem that needs ongoing support.
No updates
The number of BYOVD attacks has skyrocketed in the past two months, prompting researchers from Ars Technica to investigate whether Microsoft’s solutions to the problem (dubbed “Secured Core” PCs) are working as intended. This is when they realized that the list had not been updated in some time.
“But while I was reporting on the aforementioned North Korean attacks, I wanted to make sure that the highly promoted driver blocking feature worked as advertised on my Windows 10 device,” wrote Dan Goodin of Ars Technica. “Yes, I have Memory Integration turned on in Windows Security > Device Security > Core Isolation, but I haven’t seen any evidence that the list of banned drivers is periodically updated.”
Microsoft dismissed the initial findings as irrelevant, but as other researchers merged, it later changed its position, saying that it was “working to fix issues with our service process that prevented devices from receiving policy updates,” Godin added.
“The list of vulnerable drivers is updated regularly, however we received feedback that there was a synchronization gap across OS versions,” Microsoft was cited. “We have corrected this and it will be maintained in upcoming and future Windows updates. The documentation page will be updated when new updates are released.”
While Microsoft claimed to have fixed the problem by having a constantly updated driver block list, researchers discovered that the company had not updated the list in nearly three years. In other words, whatever vulnerable drivers were discovered in the past 24 – 36 months, were not added to this block list, and could have been used by threat actors to isolate the vulnerabilities that have already been filled.
Microsoft has since released a new tool that allows Windows 10 users to publish blocklist updates that have been pending for three years. “But this is a one-time update; It’s not clear yet whether Microsoft can or will push automatic updates to the driver block list through Windows Update, Godin concluded.
Across: Ars Technica (Opens in a new tab)