There may be an all-new acronym for you to try and remember, as a result of Microsoft fixing a lingering issue. This issue is called Bring Your Own Vulnerable Driver (BYOVD), and BYOVD has been popping up in various forms for the last few months. These attacks may have been less impactful if a promoted solution from Microsoft to tackle them had been working. Unfortunately, it's come to light that this solution has not been behaving as it should have been.
Bringing the party to you
Back in July, BYOVD was making waves in the news . These attempts to compromise PCs work by having malware “bring along” signed drivers which are vulnerable to exploitation, and then placing them on the target PC. As the driver is genuine, it will theoretically bypass security checks and allow the attacker to then exploit it once on the system, using it as the launchpad to compromise the PC.
There are mitigations for this kind of activity, but it appears that one of them wasn’t doing everything it could be. In fact, Microsoft’s very own driver blocklist turns out to have been left gathering dust for roughly three years.
A blocklist with blocking issues
The issue came to light when several people noticed this blocklist functionality didn’t appear to be working as expected.
For years, Microsoft officials have claimed Windows can automatically block a list of malicious drivers that gets regularly updated through Windows Update. After stonewalling me and condescending to admins asking questions, MS has quietly admitted updates weren't ever pushed out. https://t.co/Vj9oWoI893— Dan Goodin (@dangoodin001) October 14, 2022
Driver blocklisting would be a useful tool against this kind of attack if it worked as it was claimed to. If it isn’t operating at maximum efficiency, then attackers are able to potentially place any drivers released since whenever the last blocklist update took place. While there may well be other ways to stop these attacks from happening, the blocklist method promoted by Microsoft is not going to be anywhere as effective as it could be.
Despite initially dismissing the findings, Microsoft was forced to concede that there was indeed an issue, and set about getting its blocklist up to speed.
Thanks for all the feedback. We have updated the online docs and added a download with instructions to apply the binary version directly. We're also fixing the issues with our servicing process which has prevented devices from receiving updates to the policy.— Jeffrey Sutherland (@j3ffr3y1974) October 6, 2022
This has been done, and the “gap in synchronisation across OS versions” has been closed. According to Tech Radar, issues related to blocklist updating will be tackled in “upcoming and future Windows updates”.
Fuzzy answers and uncertain solutions
There is no word as to which Windows updates will do this, or how. For now, your best bet with regard to Microsoft products is use the driver blocklist tool, but as Dan Goodin notes, this is a one-time update effort. You’ll still be reliant on Windows Updates down the line, because the tool doesn’t currently receive blocklist updates via Windows Updates itself.
For now, we’ll have to wait and see how this one plays out. At the very least, things are now somewhat more secure in relation to BYOVD attacks thanks to some dogged perseverance in the face of “this doesn’t work”.