Microsoft this month has released mitigations for a bug in the Windows Update process that could allow attackers to replace system files with vulnerable versions to circumvent security protections and execute arbitrary code.
The issue was flagged in August by SafeBreach Labs researcher Alon Leviev, who demonstrated at the Black Hat conference in Las Vegas how changing a registry key holding the executable responsible for parsing the list and list path for files to be modified during an update provides control over the update actions.
The attack is fully undetectable, as it is be performed in a legitimate way, invisible, as the system would show as being up-to-date, persistent, enabling the false installation of new, empty updates, and irreversible, as the integrity and repair utility SFC.exe could be modified to no longer detect corruptions.
The attack, referred to as Windows Downdate, allows an attacker to downgrade critical operating system components, including DLLs, drivers, and the kernel, to install rootkits and take full control over the machine.
Using Downdate, Leviev disabled virtualization-based security (VBS), the secure and isolated virtual environment implemented to improve Windows security, which in turn is protected from modifications by UEFI lock, after discovering that the system would abandon VBS during boot if it failed to validate one of its files.
“As a result, I was able to make a fully patched Windows machine susceptible to past vulnerabilities, turning fixed vulnerabilities unfixed and making the term ‘fully patched’ meaningless on any Windows machine in the world,” Leviev notes in a follow-up report providing technical details on how VBS can be bypassed.
His exploit targets a previously described False File Immutability (FFI) issue in Windows that allows attackers to inject code into in-use executables by relying on network redirectors to modify DLLs server-side, and which remains undetected because page hashes are not enforced for Protected Process Light (PPL). The bug was resolved in May 2024.
Leviev now says he discovered means to turn off VBS and bypass its protections regardless of whether it has been enabled with or without UEFI lock. However, if VBS is enabled with UEFI lock and has a ‘Mandatory’ flag set, it cannot be bypassed, as a boot failure would be triggered if VBS’s files are corrupted.
According to Leviev, most Windows systems are likely susceptible to exploitation, because the ‘Mandatory’ flag is not automatically set when UEFI lock is enabled, and because it was officially documented only in September 2024.
In August, Microsoft acknowledged the issues flagged by Leviev, tracked as CVE-2024-21302 and CVE-2024-38202, noting that attackers with administrative privileges could exploit them to perform downgrade attacks, reverting fully up-to-date systems to older versions containing exploitable vulnerabilities.
In August, the tech giant said that patches for CVE-2024-21302 were not ready, noting that “due to the complexity of blocking such a large quantity of files, rigorous testing is required to avoid integration failures or regressions.”
However, the tech giant did roll out an opt-in revocation policy mitigation to address this vulnerability and published guidance on how the rollback of VBS-related security updates can be blocked.
On October 8, the company updated the advisory for the second vulnerability, CVE-2024-38202, to announce that patches for it have been rolled out, but noted that additional steps may be required to fully protect systems, depending on the Windows iteration they are running.
“A security researcher informed Microsoft of an elevation of privilege vulnerability in Windows Update potentially enabling an attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of VBS. For exploitation to succeed, an attacker must trick or convince an Administrator or a user with delegated permissions into performing a system restore which inadvertently triggers the vulnerability,” Microsoft notes in its advisory.
Related: Nvidia Patches High-Severity Flaws in Windows, Linux Graphics Drivers
Related: Intel Sued Over ‘Downfall’ CPU Vulnerability
Related: Windows Event Log Vulnerabilities Could Be Exploited to Blind Security Products
Related: Blacksmith: Rowhammer Fuzzer Bypasses Existing Protections
