LAS VEGAS — SafeBreach Labs researcher Alon Leviev is calling urgent attention to major gaps in Microsoft’s Windows Update architecture, warning that malicious hackers can launch software downgrade attacks that make the term “fully patched” meaningless on any Windows machine in the world.
During a closely watched presentation at the Black Hat conference today in Las Vegas, Leviev showed how he was able to take over the Windows Update process to craft custom downgrades on critical OS components, elevate privileges, and bypass security features.
“I was able to make a fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days,” Leviev said.
The Israeli researcher said he found a way to manipulate an action list XML file to push a ‘Windows Downdate’ tool that bypasses all verification steps, including integrity verification and Trusted Installer enforcement.
In an interview with SecurityWeek ahead of the presentation, Leviev said the tool is capable of downgrading essential OS components that cause the operating system to falsely report that it is fully updated.
Downgrade attacks, also called version-rollback attacks, revert an immune, fully up-to-date software back to an older version with known, exploitable vulnerabilities.
Leviev said he was motivated to inspect Windows Update after the discovery of the BlackLotus UEFI Bootkit that also included a software downgrade component and found several vulnerabilities in the Windows Update architecture to downgrade key operating components, bypass Windows Virtualization-Based Security (VBS) UEFI locks, and expose past elevation of privilege vulnerabilities in the virtualization stack.
Leviev said SafeBreach Labs reported the issues to Microsoft in February this year and has worked over the last six months to help mitigate the issue.
A Microsoft spokesperson told SecurityWeek the company is developing a security update that will revoke outdated, unpatched VBS system files to mitigate the threat. Due to the complexity of blocking such a large quantity of files, rigorous testing is required to avoid integration failures or regressions, the spokesperson added.
Microsoft plans to publish a CVE on Wednesday alongside Leviev’s Black Hat presentation and “will provide customers with mitigations or relevant risk reduction guidance as they become available,” the spokesperson added. It is not yet clear when the comprehensive patch will be released.
Leviev also showcased a downgrade attack against the virtualization stack within Windows that abuses a design flaw that permitted less privileged virtual trust levels/rings to update components residing in more privileged virtual trust levels/rings.
He described the software downgrade rollbacks as “undetectable” and “invisible” and cautioned that the implications for this hack may extend beyond the Windows operating system.
UPDATE: Microsoft on Wednesday published two new advisories describing Windows vulnerabilities discovered by SafeBreach’s Leviev: CVE-2024-21302 and CVE-2024-38202.
The company said it’s developing security updates to mitigate the threat, but they are not yet available. In the meantime, it has shared guidance to help customers reduce the risks associated with the vulnerabilities.
