Microsoft fixes Windows vulnerable driver blocklist sync issue

Microsoft says it has resolved an issue that was preventing the Windows kernel vulnerable driver blocklist from being synced to systems running older versions of Windows. This blocklist (stored in the DriverSiPolicy.p7b file) is intended to prevent threat actors from dropping legitimate but vulnerable drivers on targets’ systems during Bring Your Own Vulnerable Driver (BYOVD) attacks on HVCI-enabled Windows machines or those running Windows in S Mode. The flaws in the drivers are then used to escalate privileges in the Windows kernel and execute malicious code, disabling security solutions and taking control of the device. This is a well-known and popular attack technique among threat actors of all skill levels, ranging from ransomware gangs to state-sponsored hacking groups. Read More…