Skip to main content

Microsoft’s out-of-date driver list left Windows PCs open to malware attacks for years

Microsoft’s out-of-date driver list left Windows PCs open to malware attacks for years


Microsoft pushed updates to its blocklist of malicious drivers to Windows devices, but for some reason, they never stuck

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

A laptop surrounded by green and pink message boxes that say “warning.”
Photo by Amelia Holowaty Krales / The Verge

Microsoft failed to properly protect Windows PCs from malicious drivers for nearly three years, according to a report from Ars Technica. Although Microsoft says its Windows updates add new malicious drivers to a blocklist downloaded by devices, Ars Technica found these updates never actually stuck.

This gap in coverage left users vulnerable to a certain type of attack called BYOVD, or bring your own vulnerable driver. Drivers are the files your computer’s operating system uses to communicate with external devices and hardware, such as a printer, graphics card, or webcam. Since drivers can access the core of a device’s operating system, or kernel, Microsoft requires that all drivers are digitally signed, proving that they are safe to use. But if an existing, digitally-signed driver has a security hole, hackers can exploit this and gain direct access to Windows.

We’ve already seen several of these attacks carried out in the wild. In August, hackers installed BlackByte ransomware on a vulnerable driver used for the overclocking utility MSI AfterBurner. Another recent incident involved cybercriminals exploiting a vulnerability in the anti-cheat driver for the game Genshin Impact. North Korean hacking group Lazarus waged a BYOVD attack on an aerospace employee in the Netherlands and a political journalist in Belgium in 2021, but security firm ESET only brought it to light late last month.

As noted by Ars Technica, Microsoft uses something called hypervisor-protected code integrity (HVCI) that’s supposed to protect against malicious drivers, which the company says comes enabled by default on certain Windows devices. However, both Ars Technica and Will Dormann, a senior vulnerability analyst at cybersecurity company Analygence, found that this feature doesn’t provide adequate protection against malicious drivers.

In a thread posted to Twitter in September, Dormann explains that he was able to successfully download a malicious driver on an HVCI-enabled device, even though the driver was on Microsoft’s blocklist. He later discovered that Microsoft’s blocklist hasn’t been updated since 2019, and that Microsoft’s attack surface reduction (ASR) capabilities didn’t protect against malicious drivers, either. This means any devices with HVCI enabled haven’t been protected against bad drivers for around three years.

Microsoft didn’t address Dormann’s findings until earlier this month. “We have updated the online docs and added a download with instructions to apply the binary version directly,” Microsoft project manager Jeffery Sutherland said in a reply to Dormann’s tweets. “We’re also fixing the issues with our servicing process which has prevented devices from receiving updates to the policy.” Microsoft has since provided instructions on how to manually update the blocklist with the vulnerable drivers that have been missing for years, but it’s still not clear when Microsoft will start automatically adding new drivers to the list through Windows updates.

“The vulnerable driver list is regularly updated, however we received feedback there has been a gap in synchronization across OS versions,” A Microsoft spokesperson said in a statement to Ars Technica. “We have corrected this and it will be serviced in upcoming and future Windows Updates. The documentation page will be updated as new updates are released.” Microsoft didn’t immediately respond to The Verge’s request for comment.