Will DormannOne of the 3 vulnerabilities that I've outlined is that the on-endpoint driver blocklist is a differently-maintained list than the online list.
Am I being pedantic and nit-picking here?
Per MSRC, the discrepancy is intentional:
Lastly, regarding the Online Driver Blocklist, the online list is supposed to be a superset
Let's say that theoretically this is not a lie...
1) How well known is it that the online Microsoft recommended driver block rules list is intentionally a superset of what endpoints see? The language in the online blocklist clearly says that the blocklist gets put on endpoints via Windows Update. 🤔
2) Let's pick a sample driver used by the years-old exploit KDU. Driver number 1 provided by this tool is RTCore64.sys
This driver is definitely in the online Microsoft recommended driver block rules list. Let's test it out in a Windows 11 with the "Microsoft Vulnerable Driver Blocklist" option enabled.
Oh... it loads? And it allows us to disable driver signature verification?
This seems less than ideal.
Tell me, oh internet public, why might Microsoft intentionally choose to allow a years-old public exploit to continue to work?
Oh, right. It's easier to blow off a researcher with a "this is intentional" as opposed to actually read the report that they submitted and address the problem. 🤦♂️
All GNU social JP content and data are available under the