A cybersecurity researcher has discovered a vulnerability that allows a fully patched Windows computer to roll back to an older version, potentially allowing previously patched zero-days and vulnerabilities to be exploited.
Alon Leviev presented his findings at Black Hat USA 2024 and DEF CON 32 (2024) as a tool called Windows Down Update.
Leviev says the tool can be used to “make the term ‘fully patched’ meaningless on every Windows machine in the world.”
Windows Down Update
Leviev began their journey with the goal of discovering a version rollback exploit using Windows Update as a starting point. It turned out that Windows Update had a significant flaw that allowed for a complete takeover of the update process, including downgrading Windows versions.
By also leveraging access to crucial OS components including Dynamic Link Libraries (DLLs), drivers, and the NT kernel, Leviev was able to cause the Windows machine to report that it was fully updated and that no updates could be downloaded, without the recovery and scanning tools detecting anything unusual.
Leviev subsequently discovered that the virtualization stack could also be tampered with, exposing a number of previously secure applications to previously patched privilege escalation vulnerabilities, including Credential Guard’s Isolated User Mode Process, the Secure Kernel, and Hyper-V’s hypervisor.
Finally, Windows virtualization-based security was also disabled, even when secured with UEFI locks. This also allowed Leviev to disable security features such as Credential Guard and Hypervisor-Protected Code Integrity. To Leviev’s knowledge, this is “the first time VBS’s UEFI locks have been bypassed without physical access.”
Leviev makes a number of suggestions to make operating systems less vulnerable to downgrade attacks, including:
- Investigate and implement security measures that monitor and prevent downgrades of critical OS components.
- Assessing all design features as an attack surface, even the old ones.
- Investigate attacks in the wild to evaluate if other components or areas are vulnerable to attack.