Microsoft appears to have resolved a situation that might have put Windows users in danger of a variety of cyberattacks.
Bring Your Own Vulnerable Driver, or BYOVD for short, is a cyberattacking technique involving the attackers installing older, legitimate software drivers, known for carrying vulnerabilities on target endpoints (opens in new tab) but will not cause any antivirus warnings, but will open the door to attackers to deliver a more dangerous payload.
The researchers are jeopardized by the way the company dealt with the issue, as it appears that Microsoft only created a one-time solution for a problem that requires ongoing support.
No updates
In the last couple of months, the number of BYOVD attacks has increased dramatically, prompted researchers from Ars Technica to investigate if Microsofts solutions to the problem (which it referred to as Secured Core PCs) are effective as intended, or not. Thats when they discovered the list hadn''t been updated since then.
As I was reporting on the North Korean attacks mentioned above, I wanted to ensure that this widely promoted driver-blocking feature was effective on my Windows 10 machine, according to Ars Technicas. Yes, I had memory integrity switched on in Windows Security > Device security > Core isolation, but there was no evidence that a list of banned drivers was periodically updated.
Microsoft dismissed the initial findings as irrelevant, but as other researchers chimed in, it changed its position, declaring that it was working on the issues with our service process, which has prevented devices from receiving updates to the policy.
The vulnerable driver list is regular updated, however, we received feedback that OS versions have been missing, and it will be serviced in upcoming and future Windows Updates. The documentation page will be updated as new updates are issued.
While Microsoft claimed to have included a driver blocklist constantly being updated, researchers concluded that the company hasn''t updated the list in three years, including whatever vulnerable drivers were discovered in the last 24 - 36 months, and threat actors might have used them to sort out security hazards.
Microsoft has since released a new tool that allows Windows 10 users to deploy blocklist updates that were previously unavailable for three years. However, this is a one-time update process; it is unclear if Microsoft can or will add automatic updates to the driver blocklist through Windows Update, according to Godin.