A Windows blocklist which Microsoft boasted would protect machines from vulnerable drivers was not updated for many in almost three years, security researcher Will Dormann has revealed.
Current versions of Windows include the Hypervisor-protected Code Integrity (HVCI) feature, which Microsoft claimed would use a regularly-updated blocklist to prevent vulnerable drivers being installed or used in Windows. The Bring your own vulnerable driver (BYOVD) issue has been used by a number of criminal groups in recent years, including Slingshot, InvisiMole, RobbinHood and Lojax.
But Dormann’s investigation showed HVCI only uses the blocklist which was included in the version of Windows when it was installed – while the remote version is updated, Windows never automatically downloads the revised list. For a “fully patched” version of Windows 10 21H2, the driver block rules, version 10.0.19014.0, date from 12 December 2019. In Windows 11, the rules are up to version 10.0.21250.0, date unknown.
“What's concerning is that regardless of how many Windows Updates happen, the code integrity policy on a Win10 machine is at least 2 years old. That is, while HVCI-enabled systems will get the benefit of automatic driver blocking, the list never updates, so will be quite old,” Dormann posted on Twitter.
See also: Windows 11’s launch gets messy, as Microsoft pulls PC test tool
In a 2020 blog post, Microsoft claimed: “Microsoft threat research teams continuously monitor the threat ecosystem and update the list of drivers that in the Microsoft-supplied blocklist.
"This blocklist is pushed down to devices via Windows update.”
And in documentation about HVCI Microsoft explicitly claimed the driver block list would be applied to machines with HVCI enabled, according to a version of a page cached on 3 September 2022 by the Wayback Machine.
“Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're quickly patched and rolled out to the ecosystem,” said the old version of the guide.
“Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices: Hypervisor-protected code integrity (HVCI) enabled devices; Windows 10 in S mode (S mode) devices.”
After Dormann posted his finding, Jeffrey Sutherland, principal program manager lead at Microsoft working on Windows security, said MS had “updated the online docs and added a download with instructions to apply the binary version directly”.
The current version of the guide has been rewritten to remove the reference to the block policy being “applied”. Instead Microsoft now says the list is only updated along with each major Windows version release:
“The blocklist is updated with each new major release of Windows. We plan to update the current blocklist for non-Windows 11 customers in an upcoming servicing release and will occasionally publish future updates through regular Windows servicing.”
Microsoft also offers an alternative way to update the blocklist manually via Windows Defender Application Control (WDAC) – but as Dormann noted, this may be unfamiliar to many sysadmins, and requires precise configuration. Otherwise an unwary administrator may end up blocking every single driver.
Ars Technica, which was the first outlet to write up Dormann’s findings, said Microsoft had declined to answer when their reporter Dan Goodin initially asked questions. The Stack has asked Microsoft for comment, and will update this article if any is received.
