Description
The Microsoft vulnerable driver block list is implemented as Windows Defender Application Control (WDAC) policy. On systems that do not have hypervisor-protected code integrity (HVCI) enabled, entries that specify only the to-be-signed (TBS) part of the code signer certificate are properly blocked, but entries that specify the signing certificate’s TBS hash along with a 'FileAttribRef' qualifier (such as file name or version) will not be blocked. This vulnerability affects any Windows system that does not have HVCI enabled or supported (HVCI is available in Windows 10, Windows 11, and Windows Server 2016 and later). NOTE: The vendor states that the driver blocklist is intended for use with HVCI, while systems without HVCI should use App Control, and any custom blocklist entries require a granular approach for proper enforcement.
Problem types
CWE-420 Unprotected Alternate Channel
Product status
10 (custom)
References
learn.microsoft.com/...rosoft-recommended-driver-block-rules
learn.microsoft.com/...on-based-protection-of-code-integrity
x.com/JonnyJohnson_/status/1895103112924307727
