“Microsoft is the world’s best malware hoster,” a former Microsoft security employee said publicly a year ago. And it is true that this Redmond company continues to make headlines related to serious security breaches and ransomware attacks. In some cases, these have been extended over time. The last one arrives today and has been active for three years.

For three years, Microsoft failed to adequately protect Windows PCs (mostly applies to Windows 10 since it’s from the last three years) from malicious drivers for almost three years, according to a report by Ars Technica. Although Microsoft says that its Windows updates add information about new malicious drivers to a block list that devices download, Ars Technica found that these updates never actually stick around.

‘Sgroogled.com’: when MICROSOFT launched ANTI-GOOGLE ads

How does this malware work?





This gap in coverage left users vulnerable to a certain type of attack called BYOVD, or bring your own vulnerable driver. This technique, known as BYOVD, occurs when malicious actors load legitimate, signed drivers into Windows that have known vulnerabilities.

Los Drivers are the files that your computer’s operating system uses to communicate with external devices and hardware, such as a printer, graphics card, or webcam. Because drivers can access the core of a device’s operating system, or kernel, Microsoft requires that all drivers be digitally signed to prove that they are safe to use.

But if a digitally signed driver has a security hole, hackers can take advantage of it and get direct access to windows.

Examples of attacks thanks to this malware





The researchers show as examples different registered attacks that have their origin in this problem. In August, hackers installed BlackByte ransomware on a vulnerable driver used for the MSI AfterBurner overclocking utility. Another recent incident was that cybercriminals exploited a vulnerability in the anti-cheat driver from the Genshin Impact game.

The North Korean hacker group Lazarus carried out a BYOVD attack on an aerospace employee in the Netherlands and a political journalist in Belgium in 2021 (although security firm ESET did not bring it to light until late last month).

As Ars Technica points out, Microsoft uses a tool called Hypervisor Protected Code Integrity (HVCI) that is supposed to protect against malicious drivers, and which the company says which is enabled by default on certain Windows devices.

However, both Ars Technica and Will Dormann, Principal Vulnerability Analyst at cybersecurity firm Analygence, found that this feature does not offer adequate protectionagainst malicious drivers.

The Microsoft recommended driver block rules page states that the driver block list “is applied to” HVCI-enabled devices.

Yet here is an HVCI-enabled system, and one of the drivers in the block list (WinRing0) is happily loaded.

I don’t believe the docs.https://t.co/7gCnfXYIys https://t.co/2IkBtBRhks pic.twitter.com/n4789lH5qy — Will Dormann (@wdormann) September 16, 2022

In a thread posted on Twitter in September, Dormann explains that he was able to download a driver malicious on an HVCI-enabled deviceeven though the driver was on Microsoft’s block list.

He later discovered that Microsoft’s block list has not been updated since 2019and that Microsoft’s attack surface reduction (ASR) capabilities also didn’t protect against malicious drivers. So it’s a problem that’s been around for at least three years.

Microsoft response





Microsoft addressed these issues, according to known information, earlier this month. “We have toupdated the online documentation and added a download with instructions to apply the binary version directly,” said the Microsoft Project Manager Jeffery Sutherlandin a response to Dormann’s tweets.

“We’re also addressing issues with our service process that have prevented devices from receiving our policy updates.” Since then, Microsoft has provided instructions on how to update manually the block list with the vulnerable drivers missing for years, but it is not known when it will start to be something that arrives automatically with Windows updates.