Windows Update Vulnerabilities Exploited for Downgrade Attacks
New research presented at the Black Hat security conference in Las Vegas reveals a troubling vulnerability in Windows Update that can be exploited to downgrade Windows to an older version. This downgrade exposes a range of historical vulnerabilities that can then be used to gain full control over the system. Microsoft has acknowledged the issue and is working on a solution known as “Downdate.”
The Discovery of Downgrade Attacks
SafeBreach Labs researcher Alon Leviev discovered the flaw by exploring the Windows update process. He found a method to strategically downgrade Windows, either in its entirety or by targeting specific components. Leviev developed a proof-of-concept attack that exploited this access to disable Windows protection mechanisms, ultimately targeting high-privileged computers running core kernel code.
Leviev explained, “I discovered a downgrade vulnerability that was completely undetectable because it was performed using Windows Update itself. The system remained unaware of the downgrade and continued to appear as up-to-date.”
The Technical Details of the Attack
Leviev’s downgrade capabilities stem from a flaw in the Windows update process. By manipulating a key component called “PoqexecCmdline,” he found a way to downgrade key elements of Windows to older versions containing known vulnerabilities. These components include drivers, dynamic link libraries, and the NT kernel.
With this control, Leviev was able to target Windows security elements like Windows Security Core, Credential Guard, and the virtual machine hypervisor. While this technique does not grant remote access, it poses a significant threat for attackers who already have initial access to the system.
Response from Microsoft
Microsoft is actively working on mitigations to address these risks. Part of the fix involves undoing vulnerable system files, a process that must be executed carefully to avoid integration issues. The company is committed to protecting customer security and minimizing operational disruptions.
Leviev emphasized the importance of addressing downgrade attacks as a stealthy and difficult-to-detect threat for the developer community. As hackers continue to find new ways into systems, understanding and mitigating these vulnerabilities is crucial for maintaining system security.