Microsoft maintains a list of outdated and vulnerable drivers, which threat actors can use to infiltrate viruses, ransomware, and other malware to the endpoints of their choice.
However, the last update was in 2019 – so far. After two years of sitting idly by, the list has finally been updated – but not for all Windows users at once.
in ad (Opens in a new tab) Microsoft, posted on the company’s blog, said that the block list used by the HVCI-protected code integration tool will, from now on, be updated once or twice a year.
More ways to update
“The block list is updated with every new major release of Windows, usually once or twice a year, including the Windows 11 2022 Update released in September 2022,” Microsoft said. “The latest blocklist is now also available to users of Windows 10 20H2 and Windows 11 21H2 as an optional update from Windows Update. Microsoft will occasionally roll out future updates through regular Windows services.”
The company also stated that users who always want the latest driver block list updated can use Windows Defender Application Control (WDAC) to apply the latest block list. For convenience, the company has provided a download of the latest block list of vulnerable drivers, as well as instructions on how to apply them, found over here (Opens in a new tab).
Microsoft has been under a lot of criticism lately for the lack of updates to the vulnerable driver block list – mainly because the number of attacks using this method has skyrocketed.
This method is called Bring Your Own Vulnerable Driver (BYOVD), and it’s pretty simple: a threat actor might trick the victim, usually through social engineering or phishing, into downloading a Windows driver known to be defective.
As it is a signed driver, it does not trigger any alarms for antivirus or endpoint protection services. It installs like nothing else is harmless. The driver, being faulty, gives hackers access to the device, which they can later use for any other attack they see fit – ransomware, botnets, data mining, etc.
Via: log (Opens in a new tab)