Microsoft takes action to eliminate potential Windows 11 vulnerability

Laptop user with Android apps running in Windows 11
(Image credit: diy13 / Shutterstock / Microsoft)

Windows users can now block compromised drivers, using Windows Defender Application Control (WDAC) and a list of known vulnerable drivers. 

According to a BleepingComputer report, the new option is part of the Core Isolation set of security features, designed for endpoints with virtualization-based security. 

Windows 10, Windows 11, and Windows Server 2016 and newer will all benefit from the new offering. Hypervisor-protected code integrity (HVCI) needs to be enabled, while Windows 10 systems need to be in S mode, it was added. 

TechRadar needs yo...

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

Looking for known malicious activities

To be accepted, the drivers need to be trusted, and not end up on the vulnerable driver blocklist. This blocklist will be kept up to date by independent hardware vendors and original equipment manufacturers.

Developers can also submit their drivers for analysis via the Microsoft Security Intelligence Driver Submission page.

The new feature will look for known vulnerabilities that result in escalation of privileges, as well as behavior that tries to circumvent the Windows Security Model.

The drivers that end up on the blocklist will be banned based on their SHA256 hash, file names, version numbers, as well as the certificate used to sign the code. And users can toggle the Microsoft Vulnerable Driver Blocklist from Windows Security > Device Security > Core isolation.

However, the move also means some legitimate software might not work.

"Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen," Microsoft said. "It's recommended to first validate this policy in audit mode and review the audit block events."

“Microsoft recommends enabling HVCI or S mode to protect your devices against security threats,” the advisory concludes. “If this isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy.” 

Supply chain attacks are a common occurrence these days. Threat actors often use software updates to distribute potent viruses, such as in the case of SolarWinds. Driver updates could potentially be used for the same purpose.

Via BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.