A security researcher has uncovered a new threat within the Windows operating system that challenges the very notion of a fully-patched system. The new threat demonstrated by the researcher-built tool ‘Windows Downdate’ allows malicious actors to bypass critical built-in security measures and expose systems to previously fixed vulnerabilities.
The technique relies on the deployment of undetectable and irreversible downgrades on critical components through the exploit of the Windows Update process.
Windows Downdate Exploits Windows Update Architecture
A researcher at SafeBreach identified the potential threat within the heart of the Windows Update process’s architecture. The Windows update flow involves several steps, including the client requesting an update, the server validating the integrity of the update folder, and the server saving an action list that is executed during the reboot process.
Researcher Alon Leviev discovered that while the update folder and the action list are subject to various security measures, there are still design flaws that can be exploited, as the integrity checks on the update folder are focused on the digitally signed catalog files, leaving the unsigned differential files as a potential attack vector.
Additionally, the researcher found that the action list, which is Trusted Installer-enforced and not directly accessible to the client, is still stored in a registry key that can be targeted. The researcher was able to carefully manipulate the registry key to bypass Trusted Installer’s protection and gain complete control over the update process.
Using this knowledge of the flaws within the Windows Update Architecture, the researcher was able to develop the Windows Downdate tool, which can take over the Windows Update process and craft fully undetectable, invisible, persistent, and irreversible downgrades on critical OS components.
The researcher’s findings are particularly concerning, as Leviev was able to bypass the Windows Virtualization-Based Security (VBS) UEFI locks, which were engineered with the intent to protect against such attacks.
The bypass allowed the researcher to downgrade the virtualization stack, including Credential Guard’s Isolated User Mode Process, Secure Kernel, and Hyper-V’s hypervisor, exposing past privilege escalation vulnerabilities.
Leviev identified several key takeaways:
- Increased awareness and research are needed: The researcher found that there was a need for increased awareness of and research into OS-based downgrade attacks, and also found no mitigations preventing the downgrade of critical OS components in Microsoft Windows.
- Design flaws can be a significant attack surface: The researcher highlighted that design features within an operating system should always be reviewed and regarded as a relevant attack surface, regardless of how old the feature may be.
- Further examination of In-the-wild attacks: Leviev emphasized the importance of studying in-the-wild attacks and using them to consider other components or areas that could also be affected.
Vendor Response and Community Collaboration
Leviev has shared the findings with Microsoft, and the company is currently investigating the issue. In the meantime, the researcher is working to raise awareness and collaborate with the broader security community to help organizations protect themselves against this emerging threat.
“We appreciate the work of SafeBreach in identifying and responsibly reporting this vulnerability through a coordinated vulnerability disclosure. We are actively developing mitigations to protect against these risks while following an extensive process involving a thorough investigation, update development across all affected versions, and compatibility testing, to ensure maximized customer protection with minimized operational disruption.” -Microsoft
Microsoft has assigned the flaws two different CVEs, CVE-2024-21302 and CVE-2024-38202 as well as shared a related security update advisory. The implications of this finding are significant, and prompt for increased awareness and research into OS-based downgrade attacks, as well as increased priority for review of the fundamental design features within an operating system, and assessment of the nature of in-the-wild attacks.
This type of attack is particularly insidious because it can bypass security measures such as Secure Boot and other security features. Earlier In 2023, the BlackLotus UEFI Bootkit employed a downgrade attack to bypass Secure Boot and gain persistence in systems.