Posts Tagged ‘WindowsUpdates’
[DefCon32] Windows Downdate: Downgrade Attacks Using Windows Updates
The notion of a “fully patched” system crumbles under the weight of downgrade attacks, as revealed by Alon Leviev, a self-taught security researcher at SafeBreach. His exploration of Windows Updates uncovers a flaw allowing attackers to revert critical components—DLLs, drivers, kernels, and virtualization stacks—to vulnerable versions, bypassing verification and exposing privilege escalations. Alon’s tool, Windows Downdate, renders the term “updated” obsolete, compromising systems worldwide.
Alon, a former Brazilian Jiu-Jitsu champion, leverages his expertise in OS internals and reverse engineering to dissect Windows Update mechanisms. Inspired by the BlackLotus UEFI bootkit, which bypassed Secure Boot via downgrades, he investigates whether similar vulnerabilities plague other components. His findings reveal a systemic design flaw, enabling unprivileged attackers to manipulate updates and disable protections like Virtualization-Based Security (VBS).
The implications are profound: downgraded systems report as fully updated, evade recovery tools, and block future patches, leaving them exposed to thousands of known vulnerabilities.
BlackLotus and the Downgrade Threat
Alon traces the research to BlackLotus, which exploited a patched Secure Boot flaw by reverting components. Secure Boot verifies boot chain signatures, but BlackLotus’s downgrade bypassed this, prompting Alon to probe Windows Updates for similar weaknesses.
He discovers that update packages, lacking robust validation, allow crafted downgrades. By manipulating update manifests, attackers revert critical files, exploiting old vulnerabilities without triggering alerts.
Compromising the Virtualization Stack
Targeting Hyper-V, Secure Kernel, and Credential Guard, Alon achieves downgrades that expose privilege escalations. VBS, designed to isolate sensitive operations, relies on UEFI locks, yet his methods disable these protections, a first in known research.
The attack exploits design flaws allowing less privileged rings to update higher ones, a remnant since VBS’s 2015 debut. Demonstrations show downgraded hypervisors, undermining Windows’ security architecture.
Restoration Vulnerabilities
A secondary flaw in update restoration scenarios amplifies the threat. Unprivileged users can trigger rollbacks, embedding malicious updates that persist across reboots. Recovery tools fail to detect these, as the system registers as compliant.
Alon’s Windows Downdate tool automates this, crafting updates that downgrade entire systems, from drivers to kernels, without administrative rights.
Industry Implications and Mitigations
The research exposes a gap in downgrade attack awareness. Alon urges thorough design reviews, emphasizing that unexamined surfaces, like update mechanisms, harbor risks. Linux and macOS may face similar threats, necessitating preemptive scrutiny.
Mitigations include enhanced validation, privilege restrictions, and monitoring for anomalous updates. His findings, shared responsibly with Microsoft, highlight the need for systemic changes to restore trust in patching.