Microsoft is finally cutting down on this list of dodgy Windows drivers
After two years, HVCI is getting a fresh list
Microsoft keeps a list of old and vulnerable drivers, which threat actors can use to sneak viruses, ransomware, and other malware into endpoints of their choosing.
However, the last update was in 2019 - until now. After two years of sitting idly, the list has finally been updated - but not for all Windows users at once, though.
In an announcement published on the company blog, Microsoft said that the blocklist used by the hypervisor-protected code integrity (HVCI) tool will, from now on, be updated once or twice a year.
More ways to update
“The blocklist is updated with each new major release of Windows, typically 1-2 times per year, including most recently with the Windows 11 2022 update released in September 2022,” Microsoft said. “The most current blocklist is now also available for Windows 10 20H2 and Windows 11 21H2 users as an optional update from Windows Update. Microsoft will occasionally publish future updates through regular Windows servicing.”
Users who always want the latest update to the driver blocklist can use Windows Defender Application Control (WDAC) to apply the latest blocklist, the company further stated. For the sake of convenience, the company provided a download of the most up-to-date vulnerable driver blocklist, as well as instructions on how to apply it, found here.
Microsoft has been getting a lot of criticism lately for the lack of updates to the vulnerable driver blocklist - mainly because the number of attacks using this method skyrocketed.
The method is called Bring Your Own Vulnerable Driver (BYOVD), and it’s quite a simple thing: a threat actor would trick a victim, usually through social engineering or phishing, into downloading a Windows driver that’s known for being faulty.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Being a signed driver, it doesn’t trigger any antivirus or endpoint protection services alarms. It just installs like any other non-malicious thing. The driver, being flawed, gives the hackers access to the device, which they can later use for any other attack they see fit - ransomware, botnets, data exfiltration, etc.
- These are the best firewalls out there
Via: The Register
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.