It seems that Microsoft has finally solved a problem that could put Windows users at risk of all kinds of cyber attacks.
A cyberattack method called Bring Your Own Vulnerable Driver, or BYOVD for short. It revolves around attackers installing old legitimate software drivers known for vulnerabilities on a target endpoints (opens in a new tab). Installing a legitimate driver will not cause any antivirus (opens in a new tab) alarms, but will open backdoors for attackers to deliver a more dangerous payload.
However, researchers are not happy with how the company has handled the issue, as it seems Microsoft has only created a one-time solution for a problem that requires ongoing support.
No updates
The number of BYOVD attacks has increased significantly over the past couple of months, prompting researchers at Ars Technica to investigate whether Microsoft’s solutions to the problem (which it called the “Secured Core” of PCs) are working as intended or not. Then they realized that the list had not been updated for quite some time.
“But when I reported on the North Korean attacks mentioned above, I wanted to make sure that this much-hyped driver blocking feature worked as advertised on my Windows 10 machine,” writes Ars Technica’s Dan Godin. “Yes, I had memory integrity enabled under Windows Security > Device Security > Kernel Isolation, but I saw no evidence that the list of banned drivers was updated periodically.”
Microsoft dismissed the initial findings as inconsequential, but as other researchers chimed in, it later changed its position, saying it was “fixing issues with our service process that prevented devices from receiving policy updates,” Godin added.
“The list of vulnerable drivers is regularly updated, but we have received feedback that there is a gap in synchronization between OS versions,” Microsoft is quoted as saying. “We have fixed this and it will be supported in upcoming and future Windows updates. The documentation page will be updated as new updates are released.”
While Microsoft claimed to have fixed the problem by constantly updating its driver block list, researchers found that the company had not updated the list for about three years. In other words, any vulnerable drivers discovered in the last 24-36 months were not added to this block list, and threat actors could use them to patch already-patched security holes.
Since then, Microsoft has released a new tool that allows Windows 10 users to deploy the three-year-awaited blocklist updates. “But this is a one-time renewal process; it is not yet clear whether Microsoft can or will push automatic updates to the driver block list through Windows Update,” concluded the Hour.
Via: Technique Ars (opens in a new tab)
https://www.techradar.com/news/microsofts-own-mistake-may-have-left-users-at-risk-of-malware-attacks/