15 October 2022

BYOVD


Uff! Oops!"...Microsoft is acutely aware of the BYOVD threat and has been working on defenses to stop these attacks, mainly by creating mechanisms to stop Windows from loading signed-but-vulnerable drivers. The most common mechanism for driver blocking uses a combination of what's called memory integrity and HVCI, short for Hypervisor-Protected Code Integrity. A separate mechanism for preventing bad drivers from being written to disk is known as ASR, or Attack Surface Reduction.


Unfortunately, neither approach seems to have worked as well as intended..."

15 hours ago · The malware technique—known as BYOVD, short for "bring your own vulnerable driver"—makes it easy for an attacker with administrative control to ...
11 hours ago · The malware technique—known as BYOVD, short for “bring your own vulnerable driver”—makes it easy for an attacker with administrative control to ...
The malware technique—known as BYOVD, short for "bring your own vulnerable driver"—makes it easy for an attacker with administrative control to bypass Windows ...
13 hours ago · The technical malware—known as BYOVD, short for “bring your own vulnerable driver”—makes it easy for an attacker with administrative control to ...
14 hours ago · The malware technique—known as BYOVD, short for “bring your own vulnerable driver”—makes it easy for an attacker with administrative control to ...
23 hours ago · News Summary: Microsoft said Windows automatically blocked dangerous drivers. It didn't. - Ars Technica (United States)


arstechnica.com

How a Microsoft blunder opened millions of PCs to potent malware attacks

by Dan Goodin - Oct 14, 2022 4:26 pm UTC 
Dan Goodin / Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications.
5 - 6 minutes

Microsoft said Windows automatically blocked dangerous drivers. It didn'

"For almost two years, Microsoft officials botched a key Windows defense, an unexplained lapse that left customers open to a malware infection technique that has been especially effective in recent months.

Microsoft officials have steadfastly asserted that Windows Update will automatically add new software drivers to a blocklist designed to thwart a well-known trick in the malware infection playbook. The malware technique—known as BYOVD, short for "bring your own vulnerable driver"—makes it easy for an attacker with administrative control to bypass Windows kernel protections. Rather than writing an exploit from scratch, the attacker simply installs any one of dozens of third-party drivers with known vulnerabilities. Then the attacker exploits those vulnerabilities to gain instant access to some of the most fortified regions of Windows.

It turns out, however, that Windows was not properly downloading and applying updates to the driver blocklist, leaving users vulnerable to new BYOVD attacks.

As attacks surge, Microsoft countermeasures languish

Drivers typically allow computers to work with printers, cameras, or other peripheral devices—or to do other things such as provide analytics about the functioning of computer hardware. For many drivers to work, they need a direct pipeline into the kernel, the core of an operating system where the most sensitive code resides. For this reason, Microsoft heavily fortifies the kernel and requires all drivers to be digitally signed with a certificate that verifies they have been inspected and come from a trusted source.

Even then, however, legitimate drivers sometimes contain memory corruption vulnerabilities or other serious flaws that, when exploited, allow hackers to funnel their malicious code directly into the kernel. Even after a developer patches the vulnerability, the old, buggy drivers remain excellent candidates for BYOVD attacks because they’re already signed. By adding this kind of driver to the execution flow of a malware attack, hackers can save weeks of development and testing time.

BYOVD has been a fact of life for at least a decade . . .

Entire blog posts have been devoted to enumerating the growing instances of BYOVD attacks, with this post from security firm Eclypsium and this one from ESET among the most notable.

 

Microsoft is acutely aware of the BYOVD threat and has been working on defenses to stop these attacks, mainly by creating mechanisms to stop Windows from loading signed-but-vulnerable drivers. The most common mechanism for driver blocking uses a combination of what's called memory integrity and HVCI, short for Hypervisor-Protected Code Integrity. A separate mechanism for preventing bad drivers from being written to disk is known as ASR, or Attack Surface Reduction. . .

Stay safe

For now, people should make sure they have driver blocking turned on with the latest blocklist installed using either Microsoft's instructions or Dormann's PowerShell script. People should also await further updates from Microsoft about if and when driver blocklists will automatically be updated through the Windows Update mechanism.

In the longer term, Microsoft's leadership will hopefully recognize the ways that its company culture is becoming increasingly insular and defensive. Had it not been for Dormann and other researchers, like Kevin Beaumont and Brian in Pittsburgh, reporting the problems they were having with driver blocklist updates, Microsoft still might not understand what had gone wrong.

In many cases, these critics know Microsoft products better than executives like Weston. Instead of portraying the critics as uninformed complainers, Microsoft should publicly embrace them—and provide more actionable guidance they and others can use to make the Internet safer.

Another approach


The Microsoft instructions linked above work, but they’re written for admins who may need to test the blocklist before actually enforcing it. This flexibility is great for people responsible for ensuring they don't cripple big fleets of devices; for average users, it creates unnecessary complexity that may cause them to give up.

To address this, Dormann has created and published a script that normal (i.e., non-enterprise) users will likely find easier to use than Microsoft’s convoluted method. Dormann’s script runs in PowerShell, the command-line shell that's built into Windows. As with any PowerShell script you find on the Internet, be mindful of running this on any computer you care about. It worked for us, but we can't vouch for its effectiveness on every system."

READ MORE ^ 

VIDEOS 

No comments:

The Complete Bart Simpson Timeline