Microsoft's outdated driver blocklist exposed you to malware attacks for about 3 years

The Microsoft recommended driver block rules page states that the driver block list "is applied to" HVCI-enabled devices.
Yet here is an HVCI-enabled system, and one of the drivers in the block list (WinRing0) is happily loaded.
I don't believe the docs.https://t.co/7gCnfXYIys https://t.co/2IkBtBRhks pic.twitter.com/n4789lH5qy

— Will Dormann (@wdormann) September 16, 2022

Microsoft is constantly offering new security products and updates promising better protection for its users against possible cybercriminal attacks. However, in an unexpected turn of events, the website Ars Technica uncovered a huge revelation, saying Windows PCs have been actually left unprotected for the last three years from malicious drivers due to an outdated vulnerable driver blocklist and inefficient security protection features.

Drivers are essential files of every individual’s Windows PC to work properly with other devices, such as graphics cards, printers, webcams, and more. When installed, this gives them access to your machine’s operating system, making the digital signs in them important to ensure they are safe to use. This also gives customers assurance that no security holes are present within the drivers, which can cause security exploitation on Windows devices that could possibly give bad actors access to the system.

Part of Windows updates is adding those malicious drivers to its own blocklist to prevent other users from accidentally installing them in the future. Another tool Microsoft is using to add a layer of protection to avoid that is by using a feature called hypervisor-protected code integrity (HVCI), also called Memory Integrity, which ensures the drivers installed are safe to prevent bad actors from putting malicious codes into a user’s system. Recently, Microsoft stressed in a post that this feature, together with Virtual Machine Platform, is enabled by default for protection. The company noted that users have the option to disable it after verifying that they affect the game performance of the system (though Microsoft also mentioned turning it back on after playing games). However, these suggestions turned out to be pointless after Ars Technica discovered that the HVCI feature doesn’t actually provide the full protection expected from it against malicious drivers.

Prior to Ars Technica’s report, security vulnerability expert Will Dormann at cybersecurity company Analygence shared the result of his own test, showing the issue has been known publicly since September. 

“The Microsoft recommended driver block rules page states that the driver block list ‘is applied to’ HVCI-enabled devices,” Dormann tweeted. “Yet here is an HVCI-enabled system, and one of the drivers in the block list (WinRing0) is happily loaded. I don’t believe the docs.”

In the thread of tweets, Dormann also shared that the list hasn’t been updated since 2019, which means users have been unprotected from problematic drivers for the past years despite using HVCI, exposing them to “bring your own vulnerable driver” or BYOVD attacks.

“Microsoft Attack Surface Reduction (ASR) can also block drivers and the lists are in sync with the HVCI-enforced driver block list,” Dormann added. “Except… in my testing it doesn’t block a thing.”

Interestingly, although the issue has been known since September, Microsoft only addressed it through project manager Jeffery Sutherland this October.

“We have updated the online docs and added a download with instructions to apply the binary version directly,” Sutherland replied to Dormann’s tweet. “We’re also fixing the issues with our servicing process which has prevented devices from receiving updates to the policy.”

Microsoft also admitted the flaw to Ars Technica recently through a company representative. “The vulnerable driver list is regularly updated, however we received feedback there has been a gap in synchronization across OS versions,” the spokesperson told the website. “We have corrected this and it will be serviced in upcoming and future Windows Updates. The documentation page will be updated as new updates are released.”

On the other hand, while Microsoft has already provided instructions on how to manually update the vulnerable driver blocklist, it is still unclear when it will be done automatically by Microsoft through updates.