Microsoft appears to have woken up and realized it may have left certain Windows Server and Windows 10 systems exposed to exploitable drivers for years.
Redmond has been dogged by criticism that its hypervisor-protected code integrity (HVCI) feature was not fulfilling its promise. Much-hyped by Microsoft over the past two years, HVCI, when available and switched on, is supposed to prevent known vulnerable drivers from running on a Windows box, as this code could be exploited by miscreants to gain total control over the system. HVCI requires certain hardware support, and isn’t always available or enabled.
This month it emerged the list of vulnerable drivers HVCI was supposed to be blocking was wildly out of date on machines running certain pre-Windows 11 operating systems, such as some Windows 10 and Windows Server builds. Bad drivers that should have been banned by HVCI, when enabled, weren’t, simply put.
Though there are other ways to block bad drivers, and with a more recent ban list, such as via WDAC, those who assumed HVCI was automatically protecting their Windows 10 PCs may not have realized its driver deny-list has not been updated since 2019.
This potentially left the door open to so-called bring-your-own-vulnerable-driver (BYOVD) attacks on those neglected systems. A BYOVD attack typically involves someone gaining a foothold on your computer – such as by tricking you into running malware, or being a rogue insider – and installing a known-vulnerable driver that can be exploited to hijack the box at the kernel level. To do so, the miscreant needs sufficient user privileges or access to install the bad driver.
HVCI with an up-to-date ban list should be able to catch those dodgy driver installations.
According to Microsoft, vulnerable drivers have been used in malware infections ranging from RobbinHood, GrayFish, and Sauron to nasty code used by Strontium, a Russia-backed crew.
Fixed it, sort of
In a note on Tuesday, Microsoft wrote that from the Windows 11 2022 update, the vulnerable driver blocking is enabled by default, rather than being opt in, for all capable devices. It’s enforced through HVCI, Smart App Control, or S mode. HVCI is also said to be on by default anyway on most new Windows 11 machines.
We plan to update the current blocklist for non-Windows 11 customers in an upcoming servicing release
Crucially, Microsoft stated: “The blocklist is updated with each new major release of Windows. We plan to update the current blocklist for non-Windows 11 customers in an upcoming servicing release and will occasionally publish future updates through regular Windows servicing.”
In other words, the latest Windows releases get an updated banned driver list, and soon older Windows 10 and Server editions will finally get an updated verboten driver list that should work as expected, if blocking is enabled. Redmond quietly admitted its block list has been out of date in the release notes for an October preview release for Windows 10, Windows 11, and Windows Server.
“This October 2022 preview release addresses an issue that only updates the blocklist for full Windows OS releases,” Microsoft wrote.
In a blog post in 2020, Microsoft listed HVCI as a strong hardware-backed security feature to protect Windows machines and boasted of a way to keep the blocklist updated on systems.
However, as recently highlighted by Ars, the blocklist wasn’t updating for all Windows systems, a discovery documented by Will Dormann, senior vulnerability analyst at Analygence.
Dormann was able to load a malicious driver known as WinRing0 onto a system that had the HVCI tool enabled. He later found that the driver blocklist for Windows 10 machines with HVCI were using a blocklist from 2019. There had been no updates for Windows 10 systems for three years, allowing WinRing0 to run even though later lists ban the code.
Earlier this month, Microsoft acknowledged Dormann’s findings and said it was updating the online support documents along with adding a download with instructions for applying the binary version directly.
“We’re also fixing the issues with our servicing process which has prevented devices from receiving updates to the policy,” Microsoft’s Jeffrey Sutherland wrote in a tweet. ®