Earlier today, Microsoft released new updates via Patch Tuesday for Windows 10 (KB5028166) and Windows 11 (KB5028185). The company separately announced new Dynamic SafeOS updates intended to strengthen security measures in place against Secure Boot vulnerabilities.
Along with the changes made to Secure Boot DBX, Microsoft also added several malicious drivers to the Windows Driver.STL revocation list. Microsoft was notified of these drivers by security companies Cisco Talos, Sophos and Trend Micro.
In a special safety publication ADV230001, Microsoft explains the issue (CVE-2023-32046) was the result of maliciously signed WHQL drivers:
Microsoft has recently been notified that drivers certified by Microsoft's Windows Hardware Developer Program (MWHDP) are being used maliciously. In these attacks, the attacker can gain administrative privileges on the compromised systems.
Microsoft requires signing for kernel mode drivers using the WHDP program. However, as has been the case in the past, certification is not a foolproof method. Cisco Talos reported that hackers use various signature forgery utilities such as HookSignTool to bypass WHCP measures.
