Exciting new findings presented at the Black Hat security conference in Las Vegas today reveal a concerning vulnerability in Windows Update. This flaw could potentially be exploited to downgrade Windows to outdated versions, exposing a host of historical vulnerabilities that could then be used to gain complete control over a system. Microsoft has acknowledged the issue and is diligently working on a sophisticated resolution process, dubbed “Downdate.”
Alon Leviev, a researcher from SafeBreach Labs who unearthed this flaw, embarked on this investigative journey after noting a disturbing hacking campaign from last year that utilized a specific type of malware called the “BlackLotus UEFI bootkit.” This malware depended on downgrading the Windows boot manager to an antiquated, vulnerable version. Through a meticulous examination of the Windows Update flow, Leviev uncovered a method to strategically downgrade Windows—be it the entire operating system or select components. Subsequently, he developed a proof-of-concept attack that leveraged this access to disable Virtualization-Based Security (VBS) in Windows and target privileged code within the core kernel of the system.
Leviev’s downgrade technique is essentially invisible, as it capitalizes on the system’s inherent trust in Windows Update itself. Speaking to WIRED, Leviev explained, “I found a downgrade exploit that is fully undetectable because it is performed by using Windows Update itself. In terms of invisibility, I didn’t uninstall any update—I basically updated the system even though under the hood it was downgraded. So the system is not aware of the downgrade and still appears up-to-date.”
The vulnerability stems from flaws in the components of the Windows Update process. When you initiate an upgrade, your PC sends a request to update to a designated update folder. This folder is then validated by the Microsoft update server, which creates a secure, server-controlled update folder and an action list known as “pending.xml.” This action list outlines the steps of the update plan and specifies the files to be updated. By manipulating the unsecured key “PoqexecCmdline,” Leviev was able to control the action list and subsequently the entire update process without raising any system alarms.
With this newfound control, Leviev managed to downgrade critical Windows components such as drivers, dynamic link libraries, and the NT kernel to older versions containing known vulnerabilities. He also targeted security components like Windows Secure Kernel, Credential Guard, the hypervisor, and VBS for downgrading. This technique, although requiring initial access to a victim device, could potentially expose devices to a myriad of dangerous vulnerabilities that had been previously patched by Microsoft.
Microsoft, on their end, is actively working on developing mitigations to safeguard against these risks. They are conducting a comprehensive investigation, updating affected versions, and conducting compatibility testing to ensure maximum customer protection with minimal operational disruptions. A Microsoft spokesperson stated that there haven’t been any reported attempts to exploit this technique.
Leviev stresses the significance of downgrade attacks as a looming threat for the developer community. As cybercriminals constantly search for covert ways into target systems, it’s crucial to remain vigilant and proactive in addressing these vulnerabilities.