Computer exam | Microsoft’s flaw leaves millions of computers vulnerable
For nearly two years, Microsoft has left millions of computers vulnerable to attacks using a technique known as BYOVD, bringing its own vulnerable driver. Over the past two years, company officials have said that Windows was prepared to defend against attacks carried out in this way, but the operating system did not keep threat lists up to date. The technique allows hackers to bypass Windows kernel protection and gain a higher level of access and then attack the system.
Drivers are pieces of software designed to ensure the compatibility and proper use of peripheral devices, such as cameras or printers, or to provide information about the functioning of the hardware. In order to be successful, drivers usually require direct access to the kernel, the core of the operating system where the most sensitive code resides. To protect this area, Microsoft requires that all drivers have a verified digital signature, confirming their review and origin from legitimate sources. Sometimes even these legitimate programs can contain memory corruption vulnerabilities and can be exploited to inject malicious code into the kernel. Even if the manufacturer updates them, older versions, since they are already certified, are a good way for hackers to carry out their attacks.
The BYOVD method has been known for at least a decade, but recently there has been a new wave of attacks using it, from North Korean hackers from the Lazarus Group to criminals who install ransomware. Many cyber security companies have long publications listing situations where this type of attack has occurred, listing the victims and detailing what happened, such as Eclypsium or ESET.
Microsoft has prepared defenses for Windows to take action and not allow signed but vulnerable drivers to be loaded, with the most popular method combining memory integrity with HVCI or hypervisor-protected code integrity and another solution. be an ASR or Surface Reduction attack. The first was presented in March 2020, as a global solution against BYOVD attacks, and in the description we read that “threat research teams constantly monitor the threat ecosystem and update the list of drivers that are blocked. Block lists are sent to devices via Windows Update.” Vice President David Weston tweeted a few months later: “Security vendors will tell you to buy their solutions, but Windows has what it takes to block.”
Investigation of ArsTechnica The Lazarus hacker’s modus operandi, however, shows that the automatic updates announced by Microsoft were not happening. Cybersecurity experts confirm that they were able to install a vulnerable Dell driver in lab conditions, identical to the one used by hackers as a means of entry, even with HVCI enabled. Further analysis shows that some drivers already known to be dangerous were not on the most recent blacklists, and Will Dormann, a senior analyst, found that the list had not been updated since 2019.
Faced with this revelation, Microsoft initially refused to comment on the subject, but later a project manager at the company admitted that something had gone wrong in the process of updating the list. The official said, however, that the company was correcting the update delivery process. In parallel, Microsoft released a tool that allows users to force the update themselves, instead of waiting for an automated process.
The company’s response to the issue was evasive, with employees ignoring or deflecting the subject when questioned by experts in the field, with a spokesperson finally admitting that “the list of vulnerable drivers is regularly updated, but we have received feedback that there is a failure of synchronization between different versions of the operating system. We have fixed this and it will be fixed in future Windows updates. The documentation page will be updated as these fixes are released.”
Read the full investigation about ArsTechnica here.