Microsoft has fixed the problem with the driver blocklist for Windows 10 after it was previously known that it had not been automatically updated on systems for three years. Several attacks have been observed in the past year where attackers install a vulnerable driver on the attacked system. The vulnerability in the driver allows attackers to further increase their rights and, for example, disable security software.
The technique is called Bring Your Own Driver or Bring Your Own Vulnerable Driver. To protect Windows computers from vulnerable drivers, Windows 10, 11 and Server 2016 and newer have a blocklist that is updated via Windows Update. The list includes vulnerable drivers that Windows will not load. However, the automatic list update on Windows 10 hasn't happened for three years, security researcher Will Dormann discovered.
More than a month since Dormann's Twitter call, Microsoft has now released an update that fixes the issue for Windows 10 machines with Hypervisor-protected Code Integrity (HVCI) enabled or running Windows in S mode. For Windows 11, the blocklist is enabled on all systems after installing the 2022 Update. Users can disable the blocklist on both Windows 10 and Windows 11.