“Windows Downdate” Attack: Zero-Days Make “Fully Patched” Windows Systems Vulnerable Again
Black Hat 2024 Revelation
At Black Hat 2024, SafeBreach security researcher Alon Leviev unveiled two zero-day vulnerabilities that allow threat actors to perform downgrade attacks on fully updated Windows systems, effectively reintroducing old vulnerabilities.
Vulnerability Overview
Microsoft, in coordination with the Black Hat talk, issued advisories for the two unpatched zero-days, tracked as CVE-2024-38202 and CVE-2024-21302, offering mitigation strategies until official patches are released.
Downgrade Attack Mechanism
In a downgrade attack, attackers force a target device to roll back to older software versions. This reopens previously fixed vulnerabilities, making even fully updated systems susceptible to exploitation.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Discovery and Exploitation
Alon Leviev discovered that the Windows update process could be compromised to downgrade essential OS components such as dynamic link libraries (DLLs) and the NT Kernel. Despite the downgrades, the system misleadingly reports itself as fully updated, and recovery tools fail to detect any issues.
Key Components at Risk
Leviev was able to downgrade critical security components like Credential Guard’s Secure Kernel and Hyper-V’s hypervisor, exposing the system to previously fixed privilege escalation vulnerabilities. Notably, he bypassed Windows virtualization-based security (VBS) and UEFI locks without physical access, a feat previously considered impossible.
Microsoft’s Response
Microsoft acknowledged the vulnerabilities and expressed appreciation for SafeBreach’s responsible disclosure. The company is working on updates to mitigate these attacks but noted that it will take time to implement and test the fixes across all affected versions.
Ongoing Risk and Mitigations
While Microsoft works on a comprehensive fix, the company advises users to implement mitigation measures shared in the newly published security advisories. Currently, there is no evidence that these vulnerabilities are being exploited in the wild.
Trending: Deep Dive to Fuzzing for Maximum Impact
Trending: Offensive Security Tool: DDoSlayer
Significance of the Discovery
Leviev’s findings suggest that the concept of a “fully patched” Windows system may be illusory, as downgrade attacks could potentially render any Windows machine vulnerable to past exploits. This discovery has broad implications, not just for Microsoft but for other operating systems that could be susceptible to similar downgrade attacks.
Microsoft’s Future Plans
To address these risks, Microsoft is developing an update to revoke outdated, vulnerable system files used by Virtualization Based Security (VBS). However, due to the complexity and the number of files involved, this update will require extensive testing before deployment.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
