A new vulnerability has been found within the Windows Update framework that permits attackers to revert systems to previous versions, potentially bringing back patched security issues. SafeBreach Labs’ Alon Leviev identified this flaw, and Microsoft is in the process of deploying a patch to resolve it.
Exploit Mechanism Exploration
Presenting at the Black Hat security conference, Leviev showcased how this flaw can be used to downgrade Windows or its components. Termed “Downdate,” this exploit manipulates the update mechanism, which relies on user PC and Microsoft server communications involving update folders and action lists.
Generally, Windows Update maintains system integrity through server-monitoring folders. Yet, Leviev discovered the “PoqexecCmdline” action list key isn’t properly secured, allowing the update process to be altered and resulting in downgrades of essential system components, including drivers, dynamic link libraries, and the NT kernel.
Research Implications
Leviev’s presentation introduced “Windows Downdate.” This tool is designed to invisibly and persistently downgrade critical OS components, exposing past vulnerabilities like privilege escalations. The study revealed that the entire virtualization stack – including Credential Guard’s Isolated User Mode Process, Secure Kernel, and Hyper-V’s hypervisor – could be downgraded.
Leviev stressed that operating system design features, regardless of their age, should be scrutinized as possible attack vectors. The downgrade attack surface in Virtualization-Based Security (VBS), identified by Leviev, has existed for almost a decade. His research urges a thorough examination of live attacks such as the BlackLotus UEFI Bootkit to prevent similar threats.
Vulnerability Impact
The capacity to downgrade critical components revives fixed vulnerabilities from past versions. Leviev’s proof-of-concept attack illustrated disabling VBS and targeting privileged kernel code. While the exploit does not grant initial remote access, it poses a severe risk to systems already compromised, leveraging the trusted Windows Update mechanism for the downgrade.
Microsoft has acknowledged the issue to WIRED, working on mitigations by revoking vulnerable VBS system files. This process is delicate, aiming to protect users without causing integration issues or other problems. Although Microsoft has not yet seen attacks leveraging this exploit, they are committed to extensive investigation, development, and testing to ensure comprehensive protection.
Leviev’s research aimed for a “perfect” downgrade attack: one that remains undetectable, invisible, persistent, and irreversible. The Windows Update system involves a client and server communicating over COM, with the Trusted Installer supposed to protect system files, but was found wanting in this respect.
The research revealed that by controlling the “pending.xml” action list, responsibilities such as creating, moving, deleting files, and modifying registry keys could be exploited to perform downgrades. By manipulating the list, Leviev managed to bypass integrity checks and control the Windows Update process completely.
Last Updated on November 7, 2024 3:22 pm CET