News

Microsoft Recommends Secured-Core PCs for Driver Exploits

• By Kurt Mackie
• 03/19/2020

Microsoft is touting the use of Secured-core PCs as a defensive measure against possible PC driver exploits, as explained in this announcement from the company's Windows platform security team.

Aimed at organizations with information to protect such as those in financial services, health care and government, Secured-core PCs add extra security enhancements compared with regular PCs. They're designed to protect against malware known as "bootkits" or "rootkits," which can compromise a system at the boot-up stage. Such malware can go undetected by anti-virus software.

Secured-core PCs are the next step against such threats after it was found in late 2018 that the Secure Boot process alone -- a boot-up protection scheme that's part of Unified Extensible Firmware Interface-based PCs -- had failed against attacks that exploited firmware vulnerabilities. Microsoft previously explained such notions back in October.

Secured-core PCs are built by Microsoft and its hardware partners and are already on the market, as listed at this Microsoft landing page. A few improvements are on the horizon, though. Microsoft's announcement pointed to a coming ability to add to Microsoft's public driver block list, plus a new Kernel Data Protection feature in Windows 10.

Driver Exploit Lists
Driver exploits are currently being used to bypass PC boot protections. Microsoft blocks exploitable drivers and keeps a public list of them. In the near future, organizations will be able to add to this public list as a new capability, Microsoft's announcement noted, although the rollout timing wasn't described.

It's also possible for organizations right now to make their own custom driver block lists by setting Windows Defender Application Control policies.

Microsoft described some of the malware that's been designed to exploit flaws in drivers that's already out there. They include "RobbinHood, Uroburos, Derusbi, GrayFish and Sauron." Drivers that are vulnerable to attacks are called "wormhole drivers." Microsoft works with driver makers to address such issues, and blocks the bad drivers via the Windows Update service using its public driver blocklist.

So far, Microsoft has identified about 50 wormhole drivers:

In our research, we identified over 50 vendors that have published many such wormhole drivers. We actively work with these vendors and determine an action plan to remediate these drivers. In order to further help customers identify these drivers and take necessary measures, we built an automated way in which we can block vulnerable drivers, and that is updated through Windows update.

Kernel Data Protection in Windows 10
Another bit of news announced this week is that Microsoft has added "a new feature in Windows 10 called Kernel Data Protection (KDP)." KDP carves out kernel memory that has sensitive information in it, making it "read-only protected." KDP, when broadly available, will be turned on by default in Secured-core PCs, Microsoft indicated.

Commercial rollout plans for KDP weren't described, but "Windows insiders currently have KDP," according to Deepak Manohar, a principal program manager at Microsoft, in an e-mailed response to questions, so KDP is at the testing stage right now.

Secured-Core PC Perks
Windows 10 already includes technologies such as "hypervisor-protected code integrity (HVCI), virtualization-based security (VBS), [and] Windows Defender Credential Guard" to protect against rootkit-type attacks. However, IT pros need to know how to configure PCs to use those protections.

Consequently, Microsoft is touting the use of Secured-core PCs instead as an easier approach since these devices are prebuilt with the right hardware and software configurations. Here's how that idea was expressed by Microsoft:

Customers can also get similar protection [to Secured-core PCs] on traditional devices as long as they have the necessary hardware and are configured correctly. Specifically, the following features need to be enabled: Secure boot, HVCI (enables VBS), KDP (automatically turned on when VBS is on), KDMA (Thunderbolt only) and Windows Defender System Guard.

Secured-core PCs are designed to use those Windows 10 technologies and come with Trusted Platform Module 2.0 chips to process cryptographic keys that ensure the integrity of the boot code.

Secured-Core PC Requirements
When asked which Windows 10 editions were needed for Secured-core PCs, Manohar said that "Secured-core PCs work on any Windows 10 Pro and Windows 10 Enterprise" editions.

To monitor Secured-core PCs, Microsoft is touting the use of its Microsoft Threat Protection service. Microsoft Threat Protection combines "the capabilities of Microsoft Defender ATP, Office 365 ATP, Azure ATP and Microsoft Cloud App Security."

When asked if Microsoft 365 E5 licensing was required to use Secured-core PCs, Manohar said that "Secured-core PCs can be used without Microsoft [365] E5, [although] the cloud services are a part of MDATP [Microsoft Defender Advanced Threat Protection] E5."