Windows kernel components can be installed to bypass defense systems
Experts have discovered a method that allows cybercriminals to bypass Windows security features such as Driver Signature Enforcement (DSE) and install rootkits on fully updated systems.
A report from cybersecurity researcher Alon Leviev of SafeBreach claims that the attack is possible by downgrading certain Windows kernel components.
By hijacking the Windows Update process, scammers can add outdated, vulnerable software components, making a system appear “fully patched” even if it is not. Apparently even fully patched Windows 11 devices can be targeted this way.
Rising sophistication
The researcher claims to have reported this issue to Microsoft, but the software giant did not fix the problem, saying that no “security boundary” was crossed as an attacker would already need administrative access.
Leviev demonstrated the issue at the Black Hat and DEF CON 2024 events and shared a tool, Windows Downdate, that can create downgrades that reopen old vulnerabilities.
He claimed to have managed to downgrade patched components on Windows 11, bringing back DSE bypass and enabling the use of unsigned drivers. As a result, he was able to install rootkits that can disable security software, hide malicious activity, and more.
In his attack, Leviev replaced an important Windows file called ci.dll with an unpatched version. After replacing the file, the system must be restarted, which will make it look like a normal update. Leviev also demonstrated methods to disable or bypass Virtualization-Based Security (VBS) by changing specific settings and files, further weakening the system’s security.
Microsoft is now working on a solution to block outdated system files and prevent downgrade attacks. However, the release date is not yet set, as protection against these issues apparently requires careful testing to avoid system disruptions.
Until then, Leviev advises organizations to monitor for downgrade attacks.
Via BleepingComputer