A blocklist that helps Windows 10 protect systems from attacks with vulnerable drivers has not been updated by Microsoft in at least three years, which could help attackers carry out attacks. Several attacks have been observed in the past year where attackers install a vulnerable driver on the system. The vulnerability in the driver allows attackers to further increase their rights and, for example, disable security software.
The technique is called Bring Your Own Driver or Bring Your Own Vulnerable Driver. To protect Windows computers from vulnerable drivers, Windows 10, 11 and Server 2016 and newer have a blocklist that is updated via Windows Update. The list includes vulnerable drivers that Windows will not load. However, the automatic list update on Windows 10 hasn't happened for three years, security researcher Will Dormann discovered.
According to Microsoft, the blocklist is used by default on Windows 10 systems with Hypervisor-Protected Code Integrity (HVCI) enabled. For Windows 11, this is the case after installing the 2022 Update. Dormann warned Microsoft that it acknowledges the problem and says it will come up with a solution, but exact details are lacking. For example, it is unclear how long the blocklist has not been updated and when the problem will be resolved. However, the documentation on the blocklist has been updated, which now explains how to download and install updates manually. Dormann has created a script that automates the download and installation of the blocklist.