Microsoft admits the error, malicious drivers have been infecting computers for nearly two years

Microsoft made a “mea culpa” Because it failed to adequately protect Windows computers from some malicious drivers for about three years. Apparently, the company realized that it had failed in a key aspect of Windows security, leaving users open to a pattern of malware infection that has been particularly effective in recent months.

The problem arose when Redmond confirmed that Windows Update would automatically add new software drivers to a block list designed to thwart a known malware infection system. For those who don’t know, we remind you that a computer operating system is installed and used to communicate with external devices and devices, such as a printer, graphics card or webcam, and much more. Because drivers can access every section of a device’s operating system, even the most internal parts, such as the kernel, Microsoft requires a digital signature that proves they’re secure. But what if the driver is signed and still has a vulnerability? In this case, hackers can exploit it and attack the operating system installed on it.

October 05

One of these techniques is known as BYOVD An attacker with administrator privileges is allowed to Windows kernel protection bypass. The attack is as simple as it is effective, since there is no need for an exploit written from scratch, but in this case it is sufficient to install one of the many third-party drivers with known vulnerabilities. Once this is done, the hacker is able to exploit these vulnerabilities to gain immediate and direct access to every part of Windows, even the most hidden parts.

Although Microsoft claims that its Windows updates add new malicious drivers to the blocklist of downloaded devices, Ars Technica It found that these updates were not actually blocked and that the gap in coverage left users vulnerable.

Attacks of this type are known and there are many similar cases that have been discovered recently, for example the case related to BlackByte ransomware identified in August in the driver used by the overclocking utility, MSI AfterBurner, or the case related to the vulnerability in Anti-cheat driver for the game Genshin Impact, but there are many similar cases and often they are recognized only after that.

However, the crux of the matter is that Microsoft had to protect the system thanks to HVCI, a security system the company says is enabled by default on some Windows devices. However, so be it Ars Technica Found by Will Dorman, chief vulnerability analyst at cybersecurity firm Analygence This feature does not provide sufficient protection against malicious drivers.

Dorman, for example, told Twitter that he was able to successfully download malware on a HVCI-enabled device, even though it was on Microsoft’s block list. Upon further investigation, it was later found that the block list had not been updated since 2020 and that malicious drivers managed to go unnoticed. This means everyone HVCI-enabled devices have not been protected from malicious drivers for nearly three years.

The first notes of this kind arrived in September, but Microsoft didn’t comment on anything until a few days ago, when the project manager said, Jeffrey Sutherland wrote in response to Dorman’s tweet that.

“We’ve updated the online docs and added a download with instructions to apply the binary version directly. We’re also addressing maintenance issues that prevented devices from receiving policy updates.”

Microsoft has since provided instructions on how to manually update the block list with vulnerable drivers that have been lost for years, but it’s still unclear when Microsoft will start automatically adding new drivers to the list via Windows Updates. Then came a comment on the publication Ars Technica From a company spokesperson who said.

“The list of vulnerable drivers is updated regularly, however we have received feedback that there is a synchronization gap between OS versions. We have corrected this issue and it will be introduced in future and future Windows updates. The documentation page will be available. Updated when new updates are released .

Therefore, the exact timing is not provided, but it is clear that a decisive intervention will not be as immediate as one would like. We’ll talk about it again if new details on the case emerge.

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button