New Windows Security Feature Blocks Vulnerable Drivers

Source: https://cobaltstrike.net/2022/03/29/new-windows-security-feature-blocks-vulnerable-drivers/



Microsoft has provided Windows users with the ability to block drivers with vulnerabilities using Windows Defender Application Control (WDAC) and a “blacklist” of vulnerable drivers.

The new option is part of the Core Isolation security suite for devices using virtualization-based security. The feature works on devices running Windows 10, Windows 11 and Windows Server 2016 and later with the Hypervisor-Protected Code Integrity (HVCI) feature enabled, as well as on systems running Windows 10 in S-mode.

The WDAC software security layer, which blocks vulnerable drivers, protects Windows systems from potentially malicious software, ensuring that only reliable drivers and applications run.

The “blacklist” of vulnerable drivers used by the new Windows security option is updated with the help of independent hardware vendors (IHV) and original equipment manufacturers (OEM).

WDAC protects Windows systems from drivers developed by third-party manufacturers with any of the following attributes:

  • Known security vulnerabilities that attackers can use to elevate privileges in the Windows kernel.

  • Malicious behavior (malware) or certificates used to sign malware.

  • Actions that are not malicious, but bypass the Windows security model and can be used by attackers to elevate privileges in the Windows kernel.

The “Microsoft Vulnerable Driver Blacklist” option can be enabled in the “Windows Security” > “Device Security” > “Kernel Isolation” section. Once enabled, it locks certain drivers based on their SHA256 hash, file attributes such as file name and version number, or the code signing certificate used to sign the driver.

Start a discussion …