News

Microsoft Sets Up Vulnerable and Malicious Driver Reporting Center

• By Kurt Mackie
• 12/08/2021

Microsoft on Wednesday announced the availability of a new "Vulnerable and Malicious Driver Reporting Center," which lets anyone direct Microsoft's attention toward drivers with suspect behaviors.

The center is really just an online form that asks users to submit a driver file for investigation, up to 50MB in size for x86 and x64 architectures. The form contains sufficiently detailed questions that it doesn't seem designed for the general public. Possibly it's intended for use by security researchers and the makers of drivers for Windows systems.

Unfortunately, though, Microsoft isn't now crediting submitters should vulnerable drivers be found in a sample sent via the driver reporting center.

"This program [via the driver reporting center] is currently not eligible for the Microsoft Security Response Center’s Bug Bounty program," the announcement indicated.

Driver Scanning
When a driver is submitted, it gets scanned and "flagged for analysis and investigation by Microsoft’s Vulnerable Driver team." That team will work with the publisher of the driver to patch any vulnerability found. The patched driver then gets redistributed through Microsoft's Windows Update service. Microsoft also blocks distributing the vulnerable driver in the meantime.

The driver reporting center would seem to be an unnecessary measure because Microsoft already has a driver vetting process established with its partners. However, it seems that vulnerabilities still get through, even with this vetting process.

Here's how Microsoft characterized it:

Vulnerable driver attack campaigns target security vulnerabilities in well-intentioned drivers from trusted original equipment manufacturers (OEMs) and hardware vendors to gain kernel privileges, modify kernel signing policies, and load their malicious unsigned driver into the kernel. In some cases, these unsigned drivers will disable antivirus products to avoid detection. From there, ransomware, spyware, and other types of malware can be executed.

"RobinHood, Uroburos, Derusbi, GrayFish and Sauron" malware all leveraged driver vulnerabilities, Microsoft noted.

Microsoft Defender for Endpoint Perks
Much of the rest of Microsoft's announcement touted the benefits of using Microsoft Defender for Endpoint, which, under E3 and E5 subscriptions, lets organizations set up attack surface reduction rules to "block malicious and vulnerable drivers."

A Microsoft document stated that "although attack surface reduction rules don't require a Windows E5 license, if you have Windows E5, you get advanced management capabilities."

The announcement is a bit murky on whether Microsoft Defender for Endpoint is required or not to get updated policies on vulnerable drivers. In past descriptions, Microsoft has suggested that it just blocks problematic drivers, when known, from getting distributed via the Windows Update service.

Microsoft keeps an updated driver block list, which is based on its security community and the driver reporting center findings. A policy, based on this block list, is then pushed down through the Windows Update service to "Secured-core devices" and Windows 10 in S Mode devices, the announcement indicated.

"These classes of devices use WDAC [Microsoft Windows Defender Application Control] and HVCI [Hypervisor-Protected Code Integrity] technology to block vulnerable and malicious drivers from running on devices before they are loaded into the kernel," the announcement explained.

Microsoft's statement possibly means that devices that aren't Secured-core machines or that aren't using Windows 10 in S Mode will lack such protections against vulnerable drivers, or they won't get updated policies on vulnerable drivers. It's not exactly clear.