Microsoft appears to have woken up and realized it may have left certain Windows Server and Windows 10 systems exposed to exploitable drivers for years.
Redmond has been dogged by criticism that its hypervisor-protected code integrity (HVCI) feature was not fulfilling its promise. Much-hyped by Microsoft over the past two years, HVCI, when available and switched on, is supposed to prevent known vulnerable drivers from running on a Windows box, as this code could be exploited by miscreants to gain total control over the system.
HVCI requires certain hardware support, and isn't always available or enabled. This month it emerged the list of vulnerable drivers HVCI was supposed to be blocking was wildly out of date on machines running certain pre-Windows 11 operating systems, such as some Windows 10 and Windows Server builds. Bad drivers that should have been banned by HVCI, when enabled, weren't, simply put.
Though there are other ways to block bad drivers, and with a more recent ban list, such as via WDAC, those who assumed HVCI was automatically protecting their Windows 10 PCs may not have realized its driver deny-list has not been updated since 2019. This potentially left the door open to so-called bring-your-own-vulnerable-driver (
BYOVD) attacks on those neglected systems. A BYOVD attack typically involves someone gaining a foothold on your computer – such as by tricking you into running malware, or being a rogue insider – and installing a known-vulnerable driver that can be exploited to hijack the box at the kernel level. To do so, the miscreant needs sufficient user privileges or access to install the bad driver.
www.theregister.com
