For almost 3 years, Microsoft’s out-of-date driver blocklist made you vulnerable to malware attacks

Microsoft offers new security products and updates that promise better protection against cybercriminal attacks. Ars Technica discovered a shocking revelation that Windows computers have been left vulnerable to malicious drivers for three years. This is due to an inefficient security protection feature and an outdated driver blocklist.

Drivers are vital files for every Windows PC. They allow you to use other devices such as webcams and printers, graphics cards, and printers. Once installed, they have access to your computer’s operating system. This makes it crucial to make sure that the digital signs are in place to ensure their safety. Customers are also assured that there are no security holes in the drivers. This can prevent security exploitation of Windows devices which could allow bad actors to gain access to the system.

Windows updates includes adding malicious drivers to its blocklist to stop other users from installing them. Microsoft also uses a feature called hypervisor protected code integrity (HVCI), also known as Memory Integrity, to provide additional protection. This ensures that the drivers are safe and prevents bad actors from installing malicious codes in a user’s computer. In a post, Microsoft stated that this feature is automatically enabled for protection. Microsoft noted that users can disable the feature after verifying that the features are not affecting the gaming performance of the system. However, Microsoft suggested that it be turned back on after the user has played games. These suggestions proved futile after Ars Technica discovered the HVCI protection doesn’t provide enough protection against malicious drivers.

Before Ars Technica’s report, Will Dormann, cybersecurity expert at Analygence , shared his test results, which showed that the issue was known publicly since September.

Dormann tweeted, “The Microsoft recommended driver blocks rules page states that ‘the driver block list’ is applied to HVCI-enabled device. “Yet, here’s an HVCI-enabled device and WinRing0 is one of the drivers in this block list. “I don’t believe what the docs say.”

Dormann shared in the tweet thread that the list hadn’t been updated since 2019. This means users have not been protected from problematic drivers over the years despite using HVCI. It also exposes them to BYOVD attacks or “bring your own vulnerable Driver” (BYOVD).

Dormann said that Microsoft Attack Surface Reduction (ASR), which can block drivers, is compatible with the HVCI-enforced block list for drivers. It doesn’t block anything in my testing.”

It is interesting that, even though the issue was known since September, Microsoft addressed it only through Jeffery Sutherland, Microsoft’s project manager.

Sutherland responded to Dormann’s tweet by saying, “We have updated our online docs” and adding a download that includes instructions for applying the binary version directly. “We are also working to fix the issues in our servicing process that prevented devices from receiving updates on the policy.”

Ars Technica was also informed by Microsoft representatives about the flaw. The spokesperson said that the vulnerable driver list was regularly updated. However, they received feedback that there had been an issue with synchronization between OS versions. This has been corrected and will be addressed in future and future Windows Updates. As new updates become available, the documentation page will be updated.

Microsoft has provided instructions for manually updating the driver blocklist but it is not clear when updates will be made automatically.

Christopher Woodill

About ME

Enterprise technology leader for the past 15+ years…certified PMP, Six Sigma Black Belt and TOGAF Enterprise Architect. I collaborate with companies to help align their strategic objectives with concrete implementable technology strategies. I am Vice President, Enterprise Solutions for Klick Health.

Leave a Comment