Aug 08, 2024 11:16:00

A terrifying 'downgrade attack' that makes Windows updates nonexistent is discovered

A security researcher has announced a 'downgrade attack' that revives fixed bugs and security holes by performing a 'Windows Downdate' instead of a Windows Update, leaving a system that should have been fully updated completely naked. Microsoft is rushing to respond to this vulnerability, but it is expected to take time because the impact is widespread.

Windows Downdate: Downgrade Attacks Using Windows Updates - Black Hat USA 2024 | Briefings Schedule

https://www.blackhat.com/us-24/briefings/schedule/index.html#windows-downdate-downgrade-attacks-using-windows-updates-38963

Windows Update downgrade attack 'unpatches' fully-updated systems
https://www.bleepingcomputer.com/news/microsoft/windows-update-downgrade-attack-unpatches-fully-updated-systems/

At the security conference Black Hat 2024, which began on August 3, 2024, Alon Leviev, a researcher at security company SafeBreach, announced that two zero-day vulnerabilities in Windows 10, 11 and Windows Server could allow old security holes to be reintroduced into fully updated systems.

This downgrade attack allows threat actors to force modern devices to roll back to an older version, leaving the system in an easily compromised state.

The downgrade attack was discovered when the BlackLotus UEFI Boot Kit was discovered in 2023. This malware had the ability to downgrade the Windows Boot Manager and bypass Secure Boot.

It has been discovered that the terrifying malware 'BlackLotus' that bypasses Windows 11's UEFI Secure Boot and takes over a PC is being sold for just under 700,000 yen - GIGAZINE

Microsoft already supports the BlackLotus UEFI boot kit, but Leviev wondered if the downgrade attack only targeted Secure Boot. He looked into Windows Update and discovered that the update process could be exploited to downgrade critical OS components such as dynamic link libraries (DLLs) and the NT kernel.

What’s more, even though a downgrade attack would roll back all critical components to the older versions, the update check would still show the system as fully updated, making it impossible for recovery or scanning tools to detect the problem.

'I was able to render fully patched Windows machines vulnerable to countless previously existing vulnerabilities, turning fixed vulnerabilities into zero-days and rendering the term 'fully patched' meaningless for any Windows machine in the world,' Leviev said of his discovery.

According to Leviev, this is the first time that he knows of a method to bypass the UEFI lock of virtualization-based security (VBS) without physical access, and this issue has a major impact not only on Microsoft, but also on all OS vendors that may be subject to downgrade attacks.

As part of the responsible disclosure process, Leviev reported the issue to Microsoft in February 2024, giving them a six-month grace period before announcing it at Black Hat 2024.

At the same time as making the downgrade attack public, Microsoft identified the flaws as the ' Windows Update Stack Privilege Escalation Vulnerability (CVE-2024-38202) ' and the ' Windows Secure Kernel Mode Privilege Escalation Vulnerability (CVE-2024-21302) ' and made them public.

Microsoft says it has not identified any attempts to exploit these vulnerabilities so far, but the company is working on an update to disable old VBS system files, and until this is complete, Windows will remain vulnerable to downgrade attacks.

'We appreciate the work of SafeBreach in identifying this vulnerability and responsible reporting through coordinated disclosure. Microsoft has conducted a comprehensive process that includes a thorough investigation, development of updates for all affected versions, compatibility testing, and is actively developing mitigations to provide protection against this risk,' Microsoft said in a statement.