Windows

Microsoft says it addressed an issue preventing the Windows kernel vulnerable driver blocklist from being synced to systems running older Windows versions.

This blocklist (stored in the DriverSiPolicy.p7b file) is designed to block threat actors from dropping legitimate but vulnerable drivers on targets’ systems in Bring Your Own Vulnerable Driver (BYOVD) attacks on HVCI-enabled Windows machines or those running Windows in S Mode.

The flawed drivers are then exploited to escalate privileges in the Windows kernel and execute malicious code, disabling security solutions and taking control of the device.

This is a well-known and popular attack technique amongst threat actors of all skill levels, from ransomware gangs to state-sponsored hacking groups.

Although Microsoft has been advertising its driver blocklist as capable of hardening Windows systems against vulnerable third-party drivers, ANALYGENCE security analyst Will Dormann found that wasn’t the case.

As Dormann discovered, unlike Windows 11 devices, even up-to-date Windows 10 and Windows Server systems were being provided with an outdated list of vulnerable drivers from December 2019, exposing customers who thought they were protected to BYOVD attacks.

Microsoft reluctantly acknowledged his findings and promised to address this issue and update its misleading online support docs.

Driver blocklist sync finally fixed

More than a month after Dormann revealed that the list of vulnerable drivers wasn’t kept up to date on Windows 10 and some Windows Server systems, Microsoft has now finally addressed this issue.

“The vulnerable driver list is regularly updated, however we received feedback there has been a gap in synchronization across OS versions,” a Microsoft spokesperson told BleepingComputer.

Unfortunately, this “gap” meant that the driver blocklist was not synced with any Windows 10 systems since 2019 even though Microsoft kept updating on their end, effectively breaking the feature.

“We have corrected this and it will be serviced in upcoming and future Windows Updates. The documentation page will be updated as new updates are released.”

Redmond has addressed the driver blocklist sync issue with the October 2022 preview update, ensuring that the blocklist is the same across Windows 10 and 11.

Starting with the Windows 11 2022 update (version 22H2), the blocklist is also enabled by default on all devices. Still, customers can disable it using the Windows Security app (only in Insider builds) by turning off HVCI (memory integrity) or disabling Windows in S Mode.

“Blocking drivers can cause devices or software to malfunction. In rare cases, it leads to a stop error,” Microsoft warned on Tuesday. “There is no guarantee that the blocklist will block every driver that has weaknesses.”

Update October 26, 15:10 EDT: The article was revised to make it clear that only Insiders can disable the blocklist using the Windows Security app.

Source: www.bleepingcomputer.com