A newly discovered security threat challenges the notion that fully-updated Windows systems are immune to vulnerabilities. Security researcher Alon Leviev from SafeBreach has unveiled a technique called a “downgrade attack,” demonstrated through a tool known as ‘Windows Downdate.’ This attack exploits flaws in the Windows Update process to perform undetectable and irreversible downgrades on critical operating system components. The technique effectively exposes systems to previously patched vulnerabilities, bypassing existing security measures.
The downgrade attack leverages design flaws within the Windows Update architecture, particularly targeting the update folder and action list components. While the update folder is protected by digital signatures, the attack exploits weaknesses in the validation of unsigned differential files. By manipulating registry keys, Leviev was able to bypass Trusted Installer protections and take control of the update process. This allows attackers to undermine Virtualization-Based Security (VBS) measures and reintroduce previously fixed vulnerabilities, including those affecting Credential Guard and Hyper-V’s hypervisor.
The implications of this discovery are significant, highlighting the need for increased research and awareness regarding OS-based downgrade attacks. Leviev’s findings emphasize the importance of scrutinizing design features within operating systems as potential attack surfaces and studying real-world attacks to identify additional vulnerabilities. This research calls for a thorough review of current security practices and mitigation strategies to address these emerging threats effectively.
In response, Microsoft has acknowledged the issue, assigning CVEs CVE-2024-21302 and CVE-2024-38202, and is actively working on developing mitigations to protect against these attacks. The company’s efforts include coordinating with the security community to enhance protection measures. As this type of attack can bypass critical security features such as Secure Boot, organizations are advised to stay informed about updates and review their security protocols to defend against these sophisticated threats.
Reference:
