A new report from Ars Technica says that Microsoft has failed to protect Windows PCs from malicious drives for nearly three years.
Although the company says that Windows updates that it releases periodically prevent malicious drives from downloading to the system, Ars Technica found that those updates did not do so as they should.
Because of this shortcoming in preventing malicious drives from accessing Windows PCs, users are vulnerable to a specific type of attack called BYOVD, which stands for Bring Your Vulnerable Drive.
It is indicated that drives are the files that personal computer operating systems use to communicate with hardware, whether external or internal, such as: printers, graphics cards, webcam, and so on.
Because drives require the ability to access the kernel of a device’s operating system, Microsoft also requires, before allowing this, that all drives be approved, to ensure they are safe for use.
Related Topics What You’re Reading Right Now:
But if there is an approved drive, and it contains a vulnerability, hackers can exploit that and gain access to the Windows kernel.
This has happened many times. Last August, hackers installed BlackByte ransomware on a vulnerable drive used to boost the performance of MSI AfterBurner software for MSI graphics cards.
The North Korean hacking group Lazarus also launched a BYOVD attack on a Dutch aerospace industry employee and political journalist in Belgium in 2021, but the matter was not revealed until late last month by the information security company ESET.
Microsoft confirms protection of Windows computers
According to an Ars Technica report, Microsoft is using a special feature called HVCI, which stands for Hypervisor-Protected Code Integrity, to protect devices from malicious drives. It says that this feature is enabled by default on certain Windows devices.
But Ars Technica, and Will Dorman, a senior security analyst at the information security company Analygence, confirmed that this feature does not provide sufficient protection against malicious drives.
Dorman published it last September
The Microsoft recommended driver block rules page states that the driver block list “is applied to” HVCI-enabled devices.
Yet here is an HVCI-enabled system, and one of the drivers in the block list (WinRing0) is happily loaded.
I don’t believe the docs.https://t.co/7gCnfXYIys https://t.co/2IkBtBRhks pic.twitter.com/n4789lH5qy— Will Dormann (@wdormann) September 16, 2022
On Twitter he explains how he was able to download a malicious drive onto a HVCI enabled machine, even though the malicious drive was on Microsoft’s blacklist. Then he later found out that Microsoft’s blacklist had not been updated since 2019.
Microsoft did not respond to Dorman’s statement except in
Thanks for all the feedback. We have updated the online docs and added a download with instructions to apply the binary version directly. We’re also fixing the issues with our servicing process which has prevented devices from receiving updates to the policy.
— Jeffrey Sutherland (@j3ffr3y1974) October 6, 2022
It stated that it fixed the matter and also posted instructions on how to manually update the blacklist.