Microsoft is currently addressing vulnerabilities in the Windows update process that could be exploited for downgrade attacks, as discovered by SafeBreach Labs researcher Alon Leviev [1].
Description
Leviev’s technique, known as Windows Downdate [5], manipulates the Windows Update process to downgrade critical system components [2], rendering security patches ineffective [2]. This manipulation allows attackers to bypass verification steps and make fully patched Windows machines vulnerable to past vulnerabilities [2], potentially exposing privilege escalation vulnerabilities and disabling security features like Credential Guard and Hyper-V’s hypervisor [3].
Leviev presented his findings at Black Hat US 2024 and DEF CON 32, highlighting a design flaw in Microsoft’s VBS features that allowed for the existence of the downgrade attack surface for almost a decade [3]. Microsoft has issued advisories for two elevation of privilege vulnerabilities [2], CVE-2024-38202 and CVE-2024-21302 [1] [2] [5], which could enable attackers to reintroduce previously mitigated vulnerabilities or bypass Virtualization Based Security (VBS) features [2].
Organizations are advised to monitor for downgrade attempts [2], restrict administrative privileges [2], and enforce the Principle of Least Privilege (PoLP) until a permanent solution is provided by Microsoft [2]. Leviev’s research underscores the importance of reviewing OS design features as potential attack surfaces [5], even for older features [5]. Microsoft is working on a security update to address the vulnerabilities [1] [4] [5], and customers are advised to perform permissions audits to reduce the risk of exploitation [5].
The vulnerabilities in the Windows update process allow for the downgrade of critical OS components [4], such as DLLs and the NT Kernel [4], while still reporting the system as fully updated [4]. This downgrade can expose the system to privilege escalation vulnerabilities by compromising security components like Credential Guard’s Secure Kernel and Hyper-V’s hypervisor [4]. Microsoft is working on updates to address these vulnerabilities [1] [4] [5], but it will take time to implement and test the fixes across all affected versions [4]. In the meantime [4], users are advised to implement mitigation measures provided in security advisories [4]. The discovery of these vulnerabilities has implications for the concept of a fully patched Windows system and highlights the potential risks of downgrade attacks on other operating systems [4]. Microsoft is developing an update to revoke outdated [4], vulnerable system files used by Virtualization Based Security [4], but extensive testing is required before deployment [4].
Conclusion
The discovery of vulnerabilities in the Windows update process underscores the importance of maintaining vigilance and implementing security measures to protect against downgrade attacks. Microsoft’s efforts to address these vulnerabilities and provide security updates are crucial in safeguarding systems from potential exploitation. Organizations and users should remain proactive in monitoring for downgrade attempts and following recommended mitigation strategies to mitigate risks and enhance system security.
References
[1] https://www.tomshardware.com/software/windows/windows-downdate-exposes-updated-os-to-old-vulnerabilities
[2] https://www.csoonline.com/article/3484624/back-to-the-future-windows-update-is-now-a-trojan-horse-for-hackers.html
[3] https://thehackernews.com/2024/08/windows-downgrade-attack-risks-exposing.html
[4] https://www.blackhatethicalhacking.com/news/windows-downdate-attack-zero-days-make-fully-patched-windows-systems-vulnerable-again/
[5] https://www.helpnetsecurity.com/2024/08/08/windows-downgrade-attack/