Back to the future: Windows Update is now a trojan horse for hackers

A recent discovery has revealed a serious flaw in Microsoft’s Windows Update. Instead of protecting computers, it can be tricked into installing older, vulnerable operating system versions.

This allows hackers to bypass security measures and attack computers even with the latest updates installed. It’s like dialing back time to find the perfect vulnerability to exploit.

Alon Leviev, a security researcher at SafeBreach, has unveiled a technique that lets malicious actors manipulate the Windows Update process to downgrade critical system components, rendering security patches useless.

“With Windows Downdate, I was able to take full control of the Windows Update process, downgrading key OS components, including DLLs, drivers, and even the NT kernel,” Leviev said while presenting his research at the just concluded Black Hat conference. “This allowed me to bypass all verification steps and make a fully patched Windows machine susceptible to thousands of past vulnerabilities.”

The widespread use of Windows in enterprises underscores the potential severity of downgrade attacks, said Arjun Chauhan, senior analyst at Everest Group. “Although Microsoft has stated that it has not observed these downgrade attacks occurring in the wild, the lack of a reliable solution six months after the SafeBreach team reported the vulnerability raises concerns about Microsoft’s ability to effectively address this issue.”

[For more Black Hat USA coverage, see “Black Hat: Latest news and insights.”]

Downgrade attacks: A growing concern

Downgrade attacks, or version-rollback attacks, are a form of cyberattack that reverts software to an older, vulnerable version, allowing malicious actors to exploit previously fixed issues, Leviev explained in his findings.

In terms of impact, downgrade attacks could have profound implications for organizations heavily dependent on Windows environments,” Chauhan pointed out. “These attacks can reverse security patches, re-exposing systems to previously mitigated vulnerabilities, thereby increasing the risk of data breaches, unauthorized access, and loss of sensitive information.”

Moreover, such attacks could disrupt operations by compromising critical infrastructure, leading to downtime and financial losses. Industries with stringent compliance requirements, such as financial services, healthcare, and the public sector, are particularly vulnerable. A successful downgrade attack in these sectors could result in regulatory penalties and significant damage to an organization’s reputation and customer trust.”

Leviev’s inspiration for this technique came from the BlackLotus UEFI Bootkit 2023, which showcased the severity of such attacks by downgrading the Windows boot manager to exploit CVE-2022-21894, bypassing Secure Boot, and disabling other OS security mechanisms. “The malware could persist even on fully patched Windows 11 systems, raising alarms in the cybersecurity community,” Leviev added.

“I found several vulnerabilities that I used to develop Windows Downdate—a tool to take over the Windows Update process to craft fully undetectable, invisible, persistent, and irreversible downgrades on critical OS components—that allowed me to elevate privileges and bypass security features,” he said in the research report.

“As a result, I was able to make a fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term “fully patched” meaningless on any Windows machine in the world,” he added.

There is a need for increased awareness of and research into OS-based downgrade attacks, he suggested in the report. “During this process, I found no mitigations preventing the downgrade of critical OS components in Microsoft Windows.”

A call for increased vigilance

The implications of this research extend beyond Microsoft Windows. The findings underscore the need for increased awareness and research into OS-based downgrade attacks. “We believe other OS vendors may be equally susceptible to similar attack vectors, and all OS vendors must be vigilant against the dangers they pose,” emphasized the researcher.

“Design features within an OS should always be reviewed and regarded as a relevant attack surface, regardless of how old the feature may be,” Leviev added. “The downgrade attack I was able to achieve on the virtualization stack within Windows was possible due to a design flaw that permitted less privileged virtual trust levels/rings to update components residing in more privileged virtual trust levels/rings.”

The researcher was also able to bypass Windows Virtualization-Based Security (VBS), a critical security feature designed to protect against advanced threats. This discovery highlights the potential for attackers to circumvent even the most robust security measures.

“It is likely that other operating systems can also face similar risks from downgrade attacks, though the vulnerability in Windows is currently the most pronounced,” Chauhan noted. “These downgrade attacks are difficult to detect with standard endpoint security or EDR tools.”

Until Microsoft provides a permanent solution, organizations should closely monitor for downgrade attempts, restrict administrative privileges, and enforce the Principle of Least Privilege (PoLP),” Chauhan said.

Microsoft’s reaction

Microsoft has not yet issued a public statement on the research findings. A query seeking comments from Microsoft remains unanswered.

However, the software giant has issued two advisories – CVE-2024-38202 and CVE-2024-21302 – on Wednesday, coinciding with the conference presentation.

“Microsoft was notified that an elevation of privilege vulnerability exists in Windows Backup, potentially enabling an attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS),” the company said in a statement.

“Microsoft is not aware of any attempts to exploit this vulnerability. However, a public presentation regarding this vulnerability was hosted at BlackHat on August 7, 2024.”

[For more Black Hat USA coverage, see “Black Hat: Latest news and insights.”]