For three full years, over a billion machines were attacked because Microsoft’s block list didn’t work. Ars Technica reveals it.
Hackers can attack with driver holes
The form of attack is called “BYOVD”, Bring Your Own Vulnerable Driver.
It works in such a way that hackers take advantage of drivers that are still certificate approved as holes that can be exploited have just been discovered by hackers, so it is extremely important that your block lists are always up to date.
Back in September, Will Dormann, a security analyst at Analygence, discovered that it was not a problem to feed an HVCI (“Code Integrity Protected by Hypervisor”) enabled machine with a malicious driver.
Slow on the trigger
To make matters worse, Microsoft didn’t respond to Dormann’s revelations until earlier this month.
“We have updated the documentation and attached a download with instructions to activate the binary directly. We are also addressing issues with the service process that was preventing devices from receiving rule updates, ”says Microsoft’s Jeffery Sutherland.
Here’s how Microsoft explains it
It is now also possible to manually update the block list with malicious drivers, many of which have not been on the list for many years. It is not yet known when Microsoft will automatically add new drivers to the list.
To Ars Technica, Microsoft also explains that “the list of vulnerable drivers is updated regularly, but we have received feedback that there has been a delay in synchronization between versions of the operating system. We have fixed this problem and it will be fixed in the updates of Upcoming and Future Windows. Documentation page will be updated as new updates are released. It is unknown
