What just happened? Another day, another security flaw discovered in Microsoft Windows. The latest arrives courtesy of research presented at the Black Hat security conference, which revealed a design flaw in the Windows Update architecture that allows critical OS components to be downgraded by manipulating the update process.
A significant vulnerability in Microsoft Windows security tools was unveiled at the Black Hat security conference. Alon Leviev, a researcher from SafeBreach, showcased a method to exploit the Windows update process, enabling attackers to downgrade systems to earlier versions. This process reintroduces vulnerabilities that have already been patched in the current versions of Windows.
The flaw involves crafting a custom downgrading action list that is added to the Windows registry. This list is not enforced by the Trusted Installer, which tricks the system into accepting outdated and vulnerable system files.
By renaming a file folder, the attack bypasses virtualization-based security (VBS), allowing control over update actions such as file creation, deletion, and registry modification. This makes the attack appear as a legitimate update, rendering it undetectable by standard security tools.
Once the Secure Kernel or hypervisor is downgraded, the attacker can disable VBS, bypass UEFI locks, and extract credentials, even against restrictive settings like Credential Guard and Windows Defender.
The attack facilitates privilege escalation from Administrator to kernel level and further into the hypervisor, granting attackers access to all isolated environments and the ability to exploit past vulnerabilities in the virtualization stack.
The research found no existing downgrade mitigation in the virtualization stack, leaving the entire system vulnerable. This flaw underscores a broader issue that could potentially affect other operating systems as well.
Microsoft has acknowledged the vulnerability and is working on mitigations. However, a fix is complex due to the design flaw affecting multiple sub-programs. It could also take some time as rigorous testing is necessary to avoid integration failures or regressions. The good news is that Microsoft says it has not observed any exploitation of this vulnerability in the wild yet.
SafeBreach Labs responsibly disclosed the findings to Microsoft in February 2024. Leviev suggests that both vendors and researchers explore new attack vectors to prevent similar vulnerabilities.
The researcher also criticized Microsoft's approach of only patching specific vulnerabilities rather than redesigning programs to eliminate entire classes of attacks. Meanwhile, in response to other security issues, Microsoft has pledged to integrate security performance into employee evaluations to improve overall security measures.