security | DriverFinder - We Make Drivers Work for You

Vulnerable Windows Drivers Could Allow Device Takeover

In several earlier articles, we have mentioned that drivers are a critical component in any operating system. In Windows kernel-level device drivers are loaded to ensure hardware devices can communicate with the operating system. This high level of access by device drivers is secured by a number of safeguards.

Sucuring vulnerable Windows drivers

Device drivers need to be digitally signed before they are allowed to be installed (even though this can be disabled on some Windows versions). Drivers can also be tested by Microsoft to get the WHQL certification (Windows Hardware Quality Lab). An advantage of WHQL drivers is that they are available through the Windows Update service.

Since the Windows 11 update in 2022, the Hypervisor-Protected Code Integrity (HVCI) security feature prevents vulnerable drivers from being installed. It is important to realize that this is based on a list of known vulnerable Windows drivers. So, anything unknown will not be on the list and still get installed.

Recent Analysis Showed 34 Vulnerable Drivers

It is good to know that there are always people looking for vulnerabilities to help prevent abuse of these vulnerabilities. VMWare recently also released their findings on an automated approach to finding vulnerable Windows drivers using a reverse engineering approach. Details are in their blog post, but the results are quite daunting.

Finding that 34 Windows drivers have vulnerabilities is quite a large number. Most (30) are based on the Windows Driver Model (WDM), while some (4) are using the Windows Driver Framework (WDF). Since some of these drivers include firmware access, one can imagine the kind of access and system takeover that can happen with the exploits of these vulnerabilities.

Solutions to Fix Vulnerable Windows Drivers

Since most of these problems need to be fixed by correcting the flaws, or shortcomings, in the device driver software, vendors must update their drivers and release new versions.

This has happened in 2 of the mentioned cases (Phoenix Technologies fixed the TdkLib64.sys driver and AMD fixed the PDFWKRNL.sys driver).

But there are also suggestions that Microsoft could make changes in how drivers are checked and loaded. The vulnerability list (HVCI) does not seem to be sufficient. It is suggested that preventing signed drivers with a revoked certificate would already block a third of the 34 drivers.

From a user perspective, it is important to keep your drivers up-to-date. Apart from using Windows Update, we recommend you use a program like DriverFinder to check for updates regularly.

Windows Security through Driver Block Rules

Many computers are used for critical tasks or to process sensitive data. To protect a system, especially a portable system, that is running Windows, Microsoft has several security features in the latest Windows releases. Most people know about Microsoft Defender and biometric access, but in Windows 10 and Windows 11, there is also something called driver block rules.

Are Drivers Dangerous?

Device drivers are not dangerous per se. But device drivers, like many other critical components in the Windows operating system, run with a kernel-level execution priority. That means that even if drivers are not malicious, they can allow elevated control access.

Modern device drivers are all digitally signed, and often verified by Microsoft. And in the latest Windows versions unsigned drivers are not allowed to be installed unless special steps are taken to disable driver signature enforcement.

But even with a digital signature, there is no guarantee that the driver is completely safe. Digital signatures can be stolen (hacks of hardware/software companies, like Nvidia recently).

Recent malware attacks have leveraged the vulnerabilities of drivers to compromise system security. It makes a lot of sense to increase the protection of these system components.

What are Driver Block Rules?

Driver block rules are a set of rules that are recommended by Microsoft to block drivers that are malicious or not trusted. Drivers can be submitted to Microsoft for review and analysis and bad ones are added to the vulnerable driver blocklist. Hardware manufacturers and OEM partners will play a big role in keeping the rules actual and relevant.

How to use Driver Block Rules?

Microsoft is including a setting in the Windows Defender configuration to turn on this new feature called Microsoft Vulnerable Driver Blocklist. That means turning it on will activate the protection.

Windows Driver Block Rules

This new feature will be only activated by default on special Windows editions. Windows 10 S mode, and devices that have the Memory Code Integrity feature (or HyperVisor-protected Code Integrity – HVCI).

For Windows systems where the S mode or HVCI is not possible there is another option, which is using the Windows Defender Application Control (WDAC) policy. Details about how to use WDAC and the list of rules can be found on the Microsoft website.

WDAC is all about preventing apps or processes to run kernel level. Use and deployment of the rules is something that will typically be used by organizations with IT staff to implement this.

Driver BlockList Limitations

Although the concept the blocklist is good, the method strongly depends on the quality of the list. It was already found that the blocklist is not including all drivers that need to be blocked. Apparently new Windows versions were being issues a list from 2019! Microsoft already confirmed the issue and will address the problem in the Windows October updates to ensure the list is new and in sync across Windows 10 and Windows 11.

In addition, the block list is now on by default in Windows 11 (version 22H2). It also seems the option to disable the list is no longer present. Is Microsoft finally able to prevent the Blue Screens showing Stop errors caused by drivers?

For people still wanting to disable the list on Windows 11 version 22H2, there might be a workaround through the registry. But it is not an official and documented option.

Use the Registry Editor to find the folloing key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config]

And create a DWORD Value in it named VulnerableDriverBlocklistEnable with a data value of zero (0).

Copyright 2009 and Beyond - DriverFinderPro.com - All Rights Reserved