Notebookcheck Logo

Old is new: Windows vulnerability allows undetectable downgrade attacks

The path of attack (Image Source: SafeBreach)
The path of attack (Image Source: SafeBreach)
At Black Hat USA 2024, a researcher showcased a method for taking over the Windows Update Process to craft a custom system downgrade. With the system downgraded, threat actors can elevate privileges, bypass security features, and exploit previously patched vulnerabilities.

At the 2024 Black Hat USA Conference, SafeBreach researcher Alon Leviev presented an attack that manipulates an action list XML file to push a “Windows Downdate” tool that bypasses all Windows verification steps and the Trusted Installer. The tool can also manipulate Windows to confirm that the system is fully updated. 

The Windows Update Process was compromised before. Released in 2023, the BlackLotus UEFI Bootkit includes downgrade capabilities that utilize vulnerabilities in the Windows Update architecture. Similar to the method Leviev showcased, the BlackLotus Bootkit downgrades various system components to bypass the VBS UEFI locks. A threat actor can then use privilege escalation “zero-day” attacks on a previously up-to-date system. In a blog post on SafeBreach, Leviev stated “ I discovered multiple ways to disable Windows virtualization-based security (VBS), including its features such as Credential Guard and Hypervisor-Protected Code integrity (HVCI), even when enforced with UEFI locks. To my knowledge, this is the first time VBS’s UEFI locks have been bypassed without physical access.”

Leviev informed Microsoft of the vulnerabilities in February of this year. However, Microsoft is still developing a security update to revoke outdated and unpatched VBS systems. Microsoft also plans to release a guide to “provide customers with mitigations or relevant risk reduction guidance as they become available.” Guidance is necessary since, according to Leviev, these attacks are undetectable and invisible. To learn more or to see exploit in action, please visit the resources below.

Read all 1 comments / answer
static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
Mail Logo
> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2024 08 > Old is new: Windows vulnerability allows undetectable downgrade attacks
Stephen Pereyra, 2024-08- 8 (Update: 2024-09- 8)