Security

New Attack Lets Hackers Downgrade Windows to Exploit Patched Flaws

October 26, 2024

3 minute read

SafeBreach Labs unveils ‘Windows Downdate,’ a new attack method which compromises Windows 11 by downgrading system components, and reviving old/ptched vulnerabilities like the DSE bypass.

In a recent research, SafeBreach Labs researcher Alon Leviev exposed a new attack technique that could compromise the security of fully patched Windows 11 systems. This technique, dubbed Windows Downdate, involves manipulating the Windows Update process to downgrade critical system components, effectively resurrecting previously patched vulnerabilities.

The attack was initially reported in August 2024 at Black Hat USA 2024 and DEF CON 32. Researchers have now published additional details to enhance public understanding of the attack.

One such vulnerability is the “ItsNotASecurityBoundary” Driver Signature Enforcement (DSE) bypass, which allows attackers to load unsigned kernel drivers. This bypass allows attackers to replace a verified security catalogue with a malicious version, enabling the loading of unsigned kernel drivers.

According to SafeBreach’s blog post shared with Hackread.com ahead of publishing on Saturday, by leveraging Windows Downdate, attackers can target specific components, such as the “ci.dll” module essential for parsing security catalogues, and downgrade them to a vulnerable state, enabling the exploitation of this bypass and gaining kernel-level privileges.

For your information, the “ItsNotASecurityBoundary” DSE bypass is part of a new class of flaws called False File Immutability (FFI), exploiting incorrect assumptions about file immutability, allowing “immutable” files to be modified by clearing the system’s working set.

Leviev outlines the steps to exploit vulnerabilities in Windows systems with different levels of Virtualization-Based Security (VBS) protection. They identified multiple ways of disabling VBS key features, including features like Credential Guard and Hypervisor-Protected Code integrity (HVCI), even with UEFI locks for the first time.

“To my knowledge, this is the first time VBS’s UEFI locks have been bypassed without physical access. As a result, I was able to make a fully patched Windows machine susceptible to past vulnerabilities, turning fixed vulnerabilities unfixed and making the term “fully patched” meaningless on any Windows machine in the world.”
Alon Leviev

To exploit a system without UEFI lock, an attacker must disable VBS by modifying registry settings. Once disabled, they can downgrade the ci.dll module to a vulnerable version and exploit the “ItsNotASecurityBoundary” vulnerability.

For systems with UEFI lock, the attacker must invalidate the SecureKernel.exe file to bypass VBS protection. However, VBS with UEFI Lock and “Mandatory” Flag” was the securest configuration, preventing VBS from being disabled even if the lock is bypassed. Researchers explain that currently there is no known way to exploit a system with this level of protection without physical access.

Nevertheless, this Windows Update takeover capability poses a major threat to organizations by allowing attackers to load unsigned kernel drivers, enable custom rootkits to neutralize security controls, hide processes, and maintain stealth.

Attackers can craft custom downgrades for critical OS components, including DLLs, drivers, and even the NT kernel. By downgrading these components, the attacker can expose previously patched vulnerabilities, making the system susceptible to exploitation.

To mitigate the risks, organizations should keep systems up-to-date with the latest security patches to address vulnerabilities. It is essential to deploy robust endpoint detection and response (EDR) solutions to detect and respond to malicious activity, including downgrade attempts, and implement strong network security measures to prevent unauthorized access and data breaches. In addition, enabling VBS with UEFI lock and the “Mandatory” flag can provide additional protection against attacks.