Threat actors are exploiting security gaps to weaponize Windows drivers and terminate security processes, and there may be no easy fixes in sight.

DR (DZone Research) offers insights into software development trends, industry surveys, and technology adoption patterns, providing reports, whitepapers, and analyst insights to help businesses make informed decisions and stay competitive in the ever-evolving tech landscape. By exploring DR's curated content, developers can gain insights into emerging technologies, developer preferences, and industry best practices for building innovative and market-leading software solutions. Whether you're a startup founder, product manager, or tech executive, DR offers resources to guide your strategic planning and drive business success.

Dark Reading

Bring-your-own-vulnerable-driver (BYOVD) attacks are surging, with ransomware groups exploiting Windows kernel drivers to kill EDR and security processes before deploying payloads. A key loophole allows drivers signed before July 29, 2015 — even those with expired or revoked certificates — to load on modern Windows systems due to backward compatibility rules. Microsoft's Vulnerable Driver Blocklist, enabled by default since Windows 11 2022, is updated only once or twice a year, leaving months-long windows of exposure. Security researchers call for more frequent blocklist updates, stricter driver signing reviews, active revocation enforcement, and policies restricting drivers to their intended applications. However, many fixes risk crashing systems or breaking legacy software, particularly in sectors like healthcare. The open-source LOLDrivers project and EDR vendor-level detection are cited as interim mitigations, but much of the defensive burden has shifted unfairly to EDR vendors and end-user organizations.

Microsoft Under Pressure to Bolster Defenses for BYOVD Attacks

Security Gaps Allow BYOVD Attacks to Thrive

Vulnerable Driver Blocklists Only Go So Far

Short-Term Fixes for the Long-Term BYOVD Problem