Microsoft fixes a critical vulnerability with its driver blocklist

Microsoft has fixed an issue with its vulnerable driver blocklist that was preventing it from syncing with older versions of Windows as recently as Windows 10. The flaw was found by Analygence security analyst Will Dormann leading to Microsoft finally fixing the issue. 

Threat actors often use a technique called Bring Your Own Vulnerable Driver (BYOVD) to install legitimate but vulnerable drivers on the target machine which then provide easy access into the system. These attacks work on HVCI-enabled machines or on ones running Windows S mode. The tactic has seen widespread use from ransomware gangs to state-sponsored hacking groups. 

As per Dormann’s findings, even updated Windows 10 and Windows server installations were being fed an outdated driver blocklist all the way from December 2019. As of September 2022, 71.87% of all Windows users were still using Windows 10, meaning a majority of Windows users were vulnerable to the BYOVD attacks without knowing. 

The Microsoft recommended driver block rules page states that the driver block list "is applied to" HVCI-enabled devices.
Yet here is an HVCI-enabled system, and one of the drivers in the block list (WinRing0) is happily loaded.
I don't believe the docs.https://t.co/7gCnfXYIys https://t.co/2IkBtBRhks pic.twitter.com/n4789lH5qy

— Will Dormann (@wdormann) September 16, 2022

It took Microsoft nearly a month following Dormann’s discovery to fix the blocklist with the fix to be serviced in upcoming and future Windows updates. Starting with October 2022’s preview release update, the blocklist will be the same on older versions as on Windows 11 21H2 and later.

The blocklist will also be enabled by default on all devices, with customers having the option to disable it by either turning off HVCI or disabling the S Mode. This can be done via the Windows Security app.

The aforementioned method however only applies to Windows 10 and Windows 11 21H2 systems. For Windows 11 22H2 PCs, the feature can be disabled by disabling the blocklist on the Core Isolation page in the Windows Security app. 

While disabling drivers can cause devices or software to malfunction, even leading to a stop error in rare cases, Microsoft attempts to balance the security risk against potential effects on reliability and compatibility. That said, the company has also warned that there’s no guarantee that the blocklist will catch every vulnerable driver. 

In the News: Hive ransomware gang attacks Tata Power; starts leaking employee data