Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Black Hat

Windows Update Flaws Allow Undetectable Downgrade Attacks

Researcher showcases hack against Microsoft Windows Update architecture, turning fixed vulnerabilities into zero-days.

Windows Downgrade Attack

LAS VEGAS —  SafeBreach Labs researcher Alon Leviev is calling urgent attention to major gaps in Microsoft’s Windows Update architecture, warning that malicious hackers can launch software downgrade attacks that make the term “fully patched” meaningless on any Windows machine in the world. 

During a closely watched presentation at the Black Hat conference today in Las Vegas, Leviev showed how he was able to take over the Windows Update process to craft custom downgrades on critical OS components, elevate privileges, and bypass security features.

“I was able to make a fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days,” Leviev said.

The Israeli researcher said he found a way to manipulate an action list XML file to push a ‘Windows Downdate’ tool that bypasses all verification steps, including integrity verification and Trusted Installer enforcement. 

In an interview with SecurityWeek ahead of the presentation, Leviev said the tool is capable of downgrading essential OS components that cause the operating system to falsely report that it is fully updated. 

Downgrade attacks, also called version-rollback attacks, revert an immune, fully up-to-date software back to an older version with known, exploitable vulnerabilities. 

Leviev said he was motivated to inspect Windows Update after the discovery of the BlackLotus UEFI Bootkit that also included a software downgrade component and found several vulnerabilities in the Windows Update architecture to downgrade key operating components, bypass Windows Virtualization-Based Security (VBS) UEFI locks, and expose past elevation of privilege vulnerabilities in the virtualization stack.

Leviev said SafeBreach Labs reported the issues to Microsoft in February this year and has worked over the last six months to help mitigate the issue.

Advertisement. Scroll to continue reading.

A Microsoft spokesperson told SecurityWeek the company is developing a security update that will revoke outdated, unpatched VBS system files to mitigate the threat. Due to the complexity of blocking such a large quantity of files, rigorous testing is required to avoid integration failures or regressions, the spokesperson added.

Microsoft plans to publish a CVE on Wednesday alongside Leviev’s Black Hat presentation and “will provide customers with mitigations or relevant risk reduction guidance as they become available,” the spokesperson added.  It is not yet clear when the comprehensive patch will be released.

Leviev also showcased a downgrade attack against the virtualization stack within Windows that abuses a design flaw that permitted less privileged virtual trust levels/rings to update components residing in more privileged virtual trust levels/rings.  

He described the software downgrade rollbacks as “undetectable” and “invisible” and cautioned that the implications for this hack may extend beyond the Windows operating system. 

UPDATE: Microsoft on Wednesday published two new advisories describing Windows vulnerabilities discovered by SafeBreach’s Leviev: CVE-2024-21302 and CVE-2024-38202.

The company said it’s developing security updates to mitigate the threat, but they are not yet available. In the meantime, it has shared guidance to help customers reduce the risks associated with the vulnerabilities.

Related: Microsoft Shares Resources for BlackLotus UEFI Bootkit Hunting

Related: Vulnerabilities Allow Researcher to Turn Security Products Into Wipers

Related: BlackLotus Bootkit Can Target Fully Patched Windows 11 Systems

Related: North Korean Hackers Abuse Windows Update Client in Attacks on Defense Industry

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jill Popelka has been appointed CEO at Darktrace, after serving as COO for three months.

GitHub has appointed Alexis Wales as its new Chief Information Security Officer.

Cybersecurity and intelligence solutions provider Nightwing has appointed Christopher Jones as CTO and CDO.

More People On The Move

Expert Insights