Published: Aug 09, 2024
Key Takeaways:
- A newly discovered vulnerability in Windows Update allows attackers to downgrade critical OS components.
- This security flaw makes fully patched systems susceptible to thousands of previously fixed vulnerabilities.
- Microsoft is actively working on mitigations and advises users to follow security recommendations to reduce the risk of exploitation.
Cybersecurity researchers have uncovered a critical vulnerability in Windows Update that could be exploited to downgrade Windows PCs to older, insecure versions. These zero-day flaws could potentially allow attackers to gain complete control over a system.
SafeBreach security researcher Alon Leviev discovered this vulnerability and unveiled it at the Black Hat conference in Las Vegas. He developed a proof-of-concept tool called “Windows Downdate” that can compromise the Windows Update process and downgrade critical OS components like dynamic link libraries (DLLs) and the NT Kernel.
“I was able to make a fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term ‘fully patched’ meaningless on any Windows machine in the world,” Leviev explained in a SafeBreach post. “After these downgrades, the OS reported that it was fully updated and was unable to install future updates, while recovery and scanning tools were unable to detect issues.”
The SafeBreach researcher also discovered that this exploit could target the entire virtualization stack in Windows. Leviev successfully downgraded Hyper-V’s hypervisor, Credential Guard’s Isolated User Mode Process, and the Secure Kernel. He also identified multiple methods to disable Windows’ Virtualization-Based Security (VBS).
The researcher initially reported these zero-day vulnerabilities to Microsoft in February 2024. The first security flaw, identified as CVE-2024-38202, is an elevation-of-privilege vulnerability in the Windows Update Stack. It could allow hackers to expose Windows to previously resolved vulnerabilities and disable certain Virtualization-Based Security features.
The second flaw, identified as CVE-2024-21302, is an elevation-of-privilege vulnerability found in Windows PCs that support Virtualization-Based Security (VBS). This flaw could allow cybercriminals to replace the latest Windows system files with outdated versions.
Fortunately, Microsoft found that these security vulnerabilities have not yet been exploited in the wild. The company urges customers to follow the recommendations outlined in its security advisories to minimize the risk of exploitation.
“We are actively developing mitigations to protect against these risks while following an extensive process involving a thorough investigation, update development across all affected versions, and compatibility testing, to ensure maximized customer protection with minimized operational disruption,” a Microsoft spokesperson said in a statement to WIRED.
Microsoft also plans to release an update to help users mitigate the attack by revoking unpatched Virtualization-Based Security (VBS) system files. However, the company will need additional time to thoroughly test the update, as the process may lead to integration issues and other complications.