MicrosoftThis is only 1/2 of the problem. While adding "detections" around the exploitation of vulnerable drivers to prevent malicious attacks (think Ransomware/Trojan/C2/etc), what is not addressed here is the INTENTIONAL use of vuln. drivers to circumvent security within the system.
One of the main uses for vuln. drivers beyond malicious intent, is to alter the behavior of a vendor's driver. This could be for altering the "hardware" ID/Serials (Spoofing), bypassing AntiCheats (#1 usage), hooking and changing the TPM results (EK/Attestation), the list goes on and on. The fact there's Intel, Lenovo, Dell, and (~4-5 thousand) SIGNED drivers that provide direct access to MSRs and Physical Memory is unacceptable-- it completely negates the need to have a "WHQL" (eg. signed and validated) driver in the first place. Google, "KDMapper" as an example.
