Windows 11 security ineffective against attacks on old device drivers, say researchers

34 vulnerable drivers could grant an attacker full control of a hardware device

Windows 11 security ineffective against attacks on old device drivers, say researchers

Image:
Windows 11 security ineffective against attacks on old device drivers, say researchers

Controls Microsoft rolled out to protect Windows 11 from hackers seeking to exploit security vulnerabilities in hardware device drivers are inadequate, security researchers at VMware claimed last week.

In every industry, companies are relying on old hardware devices operated by software drivers that the original developers no longer maintain, senior threat researcher Takahiro Haruyama said on the VMware security blog.

Having implemented sophisticated protections against device drivers that contained software vulnerabilities that made them vulnerable to hackers in 2022, Microsoft created a "banned list" of vulnerable drivers that it blocked from gaining access to Windows operating system kernel. But this is "only effective if the vulnerable driver is known in advance," Haruyama wrote.

Microsoft still allows these unmaintained drivers signed by with outdated certificates that are not on the list to load into the Windows kernel. "This creates a unique attack vector," added Haruyama.

Hackers could exploit these old drivers to gain privileged administrator rights to access secure parts of a Windows system, and potentially shut down protections.

VMware's Carbon Black Threat Analysis Unit has found 34 such vulnerable drivers that could give unprivileged users full control of a device. In the blog post, the researchers provide guidance on how users can identify vulnerable drivers in their own systems.

Microsoft has used the Windows hypervisor to protect systems from rogue device drivers since an update to Windows 10 in 2019.

By isolating a virtual environment from the rest of the operating system, and using that to check the integrity of device drivers and other code operating in the OS kernel, it hardened systems against attack. It ensured the integrity code running in computer memory by only running it in the virtual environment. Microsoft dubbed it virtualisation-based security (VBS).

It rolled the same protections out with Windows 11 and Windows Server 2016 as well, Microsoft said.

But, Microsoft warned in March, not all drivers are compatible with its secure system, even though that has been a requirement since March 2019.

Microsoft found incompatible drivers in banking password systems, input devices and computer game plugins.

Microsoft told Computing it did not wish to comment on the issue.