11 comments

[ 3.3 ms ] story [ 35.1 ms ] thread
Don't you need admin rights to be able to install drivers? If so, then what is this supposed to actually protect against, since once the bad guy has that, you're totally pwned anyway?
I think the problem is with a known bad driver blocklist not working like it should. It's something that should prevent installation even if the user clicks yes.
Not a computer security expert, but it sounded like the vulnerable drivers provided a shortcut to certain objectives. So although there might be a way to accomplish something as root, it was easier or more undetectable to do it through the vulnerable drivers.
Typically they are used to remove security software (EDR like CrowdStrike or antivirus) that would stop you deploying your ransomware.

Normally security monitoring tools have mechanisms to stop even and admin uninstalling them without a software specific password, a vulnerable kernel driver would allow you to bypass that.

Normally you can't run code in kernel as Administrator. You can only install signed driver. So if you BYOVD (bring your own vulnerable driver) you load signed driver then run your code in kernel.
As Raymond would say, you're already on the other side of the airtight hatchway. This is a non-story.
Genshin still works and AIUI they haven't updated the driver, meaning Microsoft isn't taking this seriously enough.
I don't think Ars communicates this very well.

These attacks require for malware to already have been installed on your computer, at that point you're fucked regardless of if they manage to escalate privileges or not.

I feel like with many Windows vulns, this is another one left in at the direction of intelligence agencies because, for some stupid reason, adversary nations still use Windows, lol.