Windows Downdate attack exploits Windows Update to ‘unpatch’ secure devices
The BlackHat hacker convention never fails to impress, and this year is no exception. Alon Leviev, a security researcher with SafeBreach Labs, gave a presentation in Las Vegas that demonstrated how the Windows Update process could be subverted to “craft custom downgrades on critical OS components” and effectively unlatch a secure machine. Say hello to the Windows Downdate attack.
In his presentation titled ‘Windows Downdate: Downgrade Attacks Using Windows Updates’, Leviev explained how his version-rollback attack reverts a fully patched Windows machine back to an older and therefore insecure version.
Leviev employed several vulnerabilities in the Windows Update process to build a tool he calls Windows Downdate that can “craft fully undetectable, invisible, persistent, and irreversible downgrades on critical OS components” so as to elevate privileges and bypass security features.
What Windows Downdate means to you
What does that mean in a real-world scenario? I hope you’re sitting down: “I was able to make a fully patched Windows machine susceptible to thousands of past vulnerabilities,” Leviev said, “turning fixed vulnerabilities into zero-days and making the term ‘fully patched’ meaningless on any Windows machine in the world.”
The full technical breakdown can be found here but here are the takeaways:
- The Windows Update vector was chosen to develop the undetectable downgrade attack as it “seemed like the least-suspicious entity” for such an exploit.
- Leviev discovered a “significant flaw” that allowed him to fully control the process.
- The Windows Downdate tool meant he could bypass all verification steps “including integrity verification and Trusted Installer enforcement”.
- Critical OS components such as dynamic link libraries (DLLs), drivers “and even the NT kernel” could be downgraded as a result.
- Future updates were blocked from being installed and “recovery and scanning tools were unable to detect issues”.
And, even without physical access to the target machine, Leviev bypassed Windows virtualization-based security (VBS), “including its features such as Credential Guard and Hypervisor-Protected Code integrity (HVCI), even when enforced with UEFI locks”.
Microsoft’s response
Leviev disclosed the issues to Microsoft in February 2024, which resulted in two Windows vulnerabilities being confirmed: CVE-2024-21302 and CVE-2024-38202. According to an August 7 update from Microsoft, it is working on a fix but this is not yet available for either.
A Microsoft spokesperson said: “We are actively developing mitigations to protect against these risks while following an extensive process involving a thorough investigation, update development across all affected versions, and compatibility testing, to ensure maximised customer protection with minimized operational disruption.”
Related reading
NEXT UP
Why Rotterdam is a tech haven: a love letter from a startup
We reached out to Kees Wolters asking for a comment on Rotterdam as one of the best cities in Europe for tech workers – he sent us what amounted to a love letter to the city, which we decided to publish in full (with his consent), below.
Verizon and Skylo launch direct-to-device messaging using satellites
Verizon and Skylo partnered to launch a direct-to-device messaging service for customers and Internet of Things (IoT) enthusiasts.
IBM pushes for EU to make AI open and collaborative
If the EU wants to remain a global digital leader then it needs to make AI open and trusted. So says IBM in its new digital policy agenda for Europe.