A new report from Ars Technica claims that Microsoft has failed to protect Windows PCs from malicious drives for nearly three years.
Although the company claims that periodically released Windows updates prevent malicious drives from being downloaded into the system, Ars Technica found that those updates did not do as they should.
Due to this deficiency in preventing malicious drives from accessing Windows PCs, users are vulnerable to a specific type of attack called BYOVD, which stands for Bring Your Vulnerable Drive.
It is indicated that drives are the files that personal computer operating systems use to communicate with hardware, external or internal, such as: printers, graphics cards, webcams, and so on.
Since drives require the ability to access a device’s operating system kernel, Microsoft also requires, before allowing this, that all drives be approved, to ensure they are safe for use.
Related Topics What are you reading right now:
But if an approved drive exists and contains a vulnerability, hackers can exploit it and gain access to the Windows kernel.
This has happened many times: last August, hackers installed BlackByte ransomware on a vulnerable drive used to improve the performance of MSI AfterBurner software for MSI graphics cards.
North Korean hacker group Lazarus also launched a BYOVD attack against a Dutch aerospace industry employee and political journalist in Belgium in 2021, but the matter was not revealed until late last month by information security firm ESET.
Microsoft confirms the security of Windows computers
According to a report from Ars Technica, Microsoft is using a special feature called HVCI, which stands for Hypervisor-Protected Code Integrity, to protect devices from malicious drives. It says this feature is enabled by default on some Windows devices.
But Ars Technica and Will Dorman, a senior security analyst at information security firm Analygence, confirmed that this feature doesn’t provide enough protection against malicious drives.
Dorman released it last September
The Microsoft Recommended Driver Blocking Rules page states that the Driver Blocking List “applies to” HVCI-enabled devices.
Yet there is an HVCI-enabled system here and one of the drivers in the block list (WinRing0) is happily loaded.
I don’t believe in documents.https://t.co/7gCnfXYIys https://t.co/2IkBtBRhks pic.twitter.com/n4789lH5qy– Will Dormann (@wdormann) September 16, 2022
On Twitter he explains how he was able to download a malicious drive to an HVCI-enabled machine, even though the malicious drive was blacklisted by Microsoft. Then he later found out that Microsoft’s blacklist hadn’t been updated since 2019.
Microsoft did not respond to Dorman’s statement except in
Thanks for all the feedback. We have updated the documents online and added a download with instructions to apply the binary version directly. We are also addressing issues with our maintenance process that prevented devices from receiving policy updates.
– Jeffrey Sutherland (@ j3ffr3y1974) 6 October 2022
He claimed to have fixed the problem and also posted instructions on how to manually update the blacklist.
