Microsoft addresses outdated driver blocklist issue in October 2022 preview updates

In September, a security vulnerability expert discovered Microsoft’s outdated vulnerable driver blocklist, resulting in users being exposed to Bring Your Own Vulnerable Driver (BYOVD) attacks by making Window’s hypervisor-protected code integrity (HVCI) feature irrelevant even when activated. It took the company weeks to come up with a solution for the issue, but it finally arrived in its October 2022 preview updates.

The problem happens due to the synching issues of Windows kernel vulnerable driver blocklist to older Windows system versions. In a nutshell, the list should contain all the updated drivers with vulnerabilities to prevent them from being installed on a user’s machine. Having such problematic drivers can cause problems, especially if they are introduced by threat actors who want to access the user’s system to take control of the device. However, while this is the main function of HVCI, the failure to update the driver blocklist directly makes the security protection feature unhelpful. Even more, Will Dormann, the Analygence security analyst that uncovered the issue, said that the “file was last modified on Dec 12, 2019.” This affected up-to-date Windows 10 and Windows Server systems even if they were updated, exposing them to possible threats for years.

“The vulnerable driver list is regularly updated, however we received feedback there has been a gap in synchronization across OS versions,” a Microsoft spokesperson told Ars Technica when the news first broke. “We have corrected this and it will be serviced in upcoming and future Windows Updates. The documentation page will be updated as new updates are released.”

The promised fix arrived this October within the October 2022 preview updates. With this, the driver blocklist synching should now work in all affected systems. Specifically, this will make the list uniform across Windows 11 and 10 systems.