Microsoft's own mistake may have left users at risk of malware attacks

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)

Microsoft appears to have finally addressed an issue that could have left Windows users at risk of all kinds of cyberattacks. 

A cyberattacking method called Bring Your Own Vulnerable Driver, or BYOVD for short. It revolves around the attackers installing older, legitimate software drivers, known for carrying vulnerabilities, on target endpoints. Installing a legit driver will not trigger any antivirus alarms, but will open up the backdoors for attackers to deliver more dangerous payload. 

However the researchers aren’t happy with how the company addressed the issue, as it would seem Microsoft only created a one-time solution for a problem that needs continuous support.

No updates

The number of BYOVD attacks rose significantly in the past couple of months, prompting researchers from Ars Technica to investigate if Microsoft’s solutions to the problem (which it dubbed “Secured Core” PCs) work as intended, or not. That’s when they realized the list hadn’t been updated in quite some time. 

“But as I was reporting on the North Korean attacks mentioned above, I wanted to make sure this heavily promoted driver-blocking feature was working as advertised on my Windows 10 machine,” Ars Technica’s Dan Godin writes. “Yes, I had memory integrity turned on in Windows Security > Device security > Core isolation, but I saw no evidence that a list of banned drivers was periodically updated.”

Microsoft dismissed the initial findings as irrelevant, but as other researchers chimed in, it later changed its stance, saying it was “fixing the issues with our servicing process which has prevented devices from receiving updates to the policy,” Godin added. 

“The vulnerable driver list is regularly updated, however we received feedback there has been a gap in synchronization across OS versions,” Microsoft was cited saying. “We have corrected this and it will be serviced in upcoming and future Windows Updates. The documentation page will be updated as new updates are released.”

While Microsoft claimed it solved the problem by having a driver blocklist that’s constantly being updated, researchers discovered that the company hasn’t updated the list in roughly three years. In other words, whatever vulnerable drivers were discovered in the last 24 - 36 months hadn;t been added to this blocklist, and threat actors could have used them to unplug already plugged security holes.

Microsoft has since released a new tool that allows Windows 10 users to deploy blocklist updates that were pending for three years. “But this is a one-time update process; it is not yet clear if Microsoft can or will push automatic updates to the driver blocklist through Windows Update,” Godin concluded.

Via: Ars Technica

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.