Software driver update

Microsoft fixes driver blocklist placing users at risk from BYOVD attacks

There may be an all-new acronym for you to try and remember, as a result of Microsoft fixing a lingering issue. This issue is called Bring Your Own Vulnerable Driver (BYOVD), and BYOVD has been popping up in various forms for the last few months. These attacks may have been less impactful if a promoted solution from Microsoft to tackle them had been working. Unfortunately, it’s come to light that this solution has not been behaving as it should have been.

Bringing the party to you

Back in July, BYOVD was making waves in the news . These attempts to compromise PCs work by having malware “bring along” signed drivers which are vulnerable to exploitation, and then placing them on the target PC. As the driver is genuine, it will theoretically bypass security checks and allow the attacker to then exploit it once on the system, using it as the launchpad to compromise the PC.

There are mitigations for this kind of activity, but it appears that one of them wasn’t doing everything it could be. In fact, Microsoft’s very own driver blocklist turns out to have been left gathering dust for roughly three years.

A blocklist with blocking issues

The issue came to light when several people noticed this blocklist functionality didn’t appear to be working as expected.

https://twitter.com/dangoodin001/status/1580988509912936450?ref_src=twsrc%5Etfw

Driver blocklisting would be a useful tool against this kind of attack if it worked as it was claimed to. If it isn’t operating at maximum efficiency, then attackers are able to potentially place any drivers released since whenever the last blocklist update took place. While there may well be other ways to stop these attacks from happening, the blocklist method promoted by Microsoft is not going to be anywhere as effective as it could be.

Despite initially dismissing the findings, Microsoft was forced to concede that there was indeed an issue, and set about getting its blocklist up to speed.

This has been done, and the “gap in synchronisation across OS versions” has been closed. According to Tech Radar, issues related to blocklist updating will be tackled in “upcoming and future Windows updates”.

Fuzzy answers and uncertain solutions

There is no word as to which Windows updates will do this, or how. For now, your best bet with regard to Microsoft products is use the driver blocklist tool, but as Dan Goodin notes, this is a one-time update effort. You’ll still be reliant on Windows Updates down the line, because the tool doesn’t currently receive blocklist updates via Windows Updates itself.

For now, we’ll have to wait and see how this one plays out. At the very least, things are now somewhat more secure in relation to BYOVD attacks thanks to some dogged perseverance in the face of “this doesn’t work”.

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.