Black Hat Techniques to forcibly remove security patches from Windows machines so that fixed vulnerabilities are exploitable again were demonstrated this week.
These methods are a handy means for rogue users, intruders, and malware that already have a presence on a victim's computer to remove updates supplied by Microsoft so that old bugs can be abused to fully hijack the box, possibly without even setting off any threat-detection tools.
It appears you must already have administrative access, or be able to make a privileged account complete some steps, to pull these attacks off. If you have that kind of access, you can already do a lot of damage and steal a lot of things from the system, so we can't see this research being that devastating for most people.
Still, some miscreants out there might find it useful to really drill into and persist quietly in a target's environment, plus it reveals more about the inner workings of Windows, and so it's arguably worth pointing it out to folks.
The approach was developed Alon Leviev, a researcher at infosec biz SafeBreach, and revealed at the Black Hat conference in Las Vegas. It was inspired by the BlackLotus UEFI bootkit that downgraded the Windows boot manager to an exploitable version so that Secure Boot could be bypassed.
I was able to downgrade the OS kernel, DLLs, drivers … basically everything that I wanted
"I found a way to take over Windows updates to update the system, but with control over all of the actual update contents," Leviev told us in an interview prior to his event talk. "I was able to downgrade the OS kernel, DLLs, drivers … basically everything that I wanted."
That forcible unauthorized downgrade can be performed against Windows 10 and 11 and Windows Server editions, plus the operating system's virtualization support.
"The entire virtualization stack is vulnerable to downgrades as well," Leviev told us. "It's simple to downgrade credential guard, the secure kernel, and even the hypervisor itself, and compromising the hypervisor gives even more privilege than the kernel, which makes it even more valuable."
What's more, we're told, it's stealthy. "It is fully undetectable because it's performed in the most legitimate way [and] is invisible because we didn't install anything - we updated the system," Leviev told us.
Response
The SafeBreach bod tipped off Microsoft about the weaknesses he found six months ago, and the IT giant, to coincide with his conference presentation on Wednesday, issued two out-of-band advisories. The Windows maker has yet to formulate a full fix for the security holes Leviev discovered, and it is for now alerting customers.
"We appreciate the work of SafeBreach in identifying and responsibly reporting this vulnerability through a coordinated vulnerability disclosure," Microsoft said in a statement.
"We are actively developing mitigations to protect against these risks while following an extensive process involving a thorough investigation, update development across all affected versions, and compatibility testing, to ensure maximized customer protection with minimized operational disruption.”
The first advisory from Redmond, tracked as CVE-2024-38202, tackles what Microsoft has accepted is an elevation-of-privilege vulnerability in the Windows Update Stack. It reads:
Thus, it's possible to force a system to undo its updates, so that it's exploitable again.
Redmond recommends users check out the above advisory for more details on how to mitigate this threat. The IT giant indicated that though this is exploitable by non-privileged and non-administrator users, extra steps are needed involving a privileged account to pull off this forced, unauthorized rollback of updates.
"An attacker attempting to exploit this vulnerability requires additional interaction by a privileged user to be successful," Microsoft pointed out.
Next, there's CVE-2024-21302, described by Microsoft as a Windows secure kernel mode elevation-of-privilege vulnerability. This requires admin rights to execute. We're told:
A proof-of-concept tool to pull all this off, called Windows Downdate, was developed by Leviev and introduced at Black Hat. Presumably it'll be made available so that folks can assess how vulnerable they are to these shortcomings. The researcher published his findings in full here if you're interested. ®