According to a report, Microsoft failed to properly protect Windows PCs for nearly three years. Ars Technica found that Microsoft's Windows updates never stuck, despite the company's claims.
Users were left vulnerable to BYOVD, or bring your own vulnerable driver, because of the gaps in coverage. The drivers are files that your computer uses to communicate with external devices. Microsoft requires all drivers to be digitally signed in order to prove that they are safe to use. If an existing driver has a security hole, it can be exploited to gain access to Windows.
Several of these attacks have been carried out in the wild. Black Byte was installed on a driver used in the utilityMSI AfterBurner. Cybercriminals exploited a vulnerability in the anti-cheat driver for a game. North Korean hacking group Lazarus waged a BYOVD attack on two people, one of which was a political journalist in Belgium.
According to Ars Technica, Microsoft uses something called hypervisor-protected code integrity that is supposed to protect against malicious drivers, which the company says comes enabled by default on certain Windows devices. Will Dormann, a senior vulnerability analyst at Analygence, found that this feature didn't provide enough protection against malicious drivers.
Even though the driver was on Microsoft's blocklist, Dormann was able to download it on an HVCI enabled device. He found out that Microsoft didn't protect against malicious drivers and that the blocklist hadn't been updated in a while. Devices with HVCI have not been protected against bad drivers for three years.
Earlier this month, Microsoft addressed the findings of Dormann. The online docs have been updated and the download instructions have been added, according to the project manager. Problems with the servicing process have prevented devices from being updated to the policy. Microsoft has given instructions on how to manually update the blocklist with vulnerable drivers that have been missing for years, but it is not clear when Microsoft will add new drivers to the list through Windows updates.
A Microsoft spokesman said in a statement that there has been a gap in sync between OS versions. It will be fixed in upcoming and future Windows updates. New updates will be added to the documentation page. Microsoft didn't reply immediately.