Earlier today, Microsoft released new updates via Patch Tuesday for Windows 10 (KB5028166) and Windows 11 (KB5028185). The company separately announced new Dynamic SafeOS updates intended to strengthen security measures in place against Secure Boot vulnerabilities.
Along with the changes made to Secure Boot DBX, Microsoft also added several malicious drivers to the Windows Driver.STL revocation list. Microsoft was notified of these drivers by the Companies Cisco Talos, Sophos and Trend Micro security solutions.
In a special safety publication ADV230001, Microsoft explains the issue (CVE-2023-32046) was the result of maliciously signed WHQL drivers:
Microsoft has recently been notified that drivers certified by Windows Hardware Developer Program of Microsoft Windows (MWHDP) are being used maliciously. In these attacks, the attacker can gain administrative privileges on the compromised systems.
Microsoft requires signature for the kernel mode drivers using the WHDP program. However, as has been the case in the past, certification is not a foolproof method. Cisco Talos reported that hackers use various signature forgery utilities such as HookSignTool to bypass WHCP measures.