Windows 'Downdate' Attack Reverts Patched PCs to a Vulnerable State

Source: willi Lumintang via Shutterstock

Fully patched Windows 11 systems are vulnerable to attacks that allow an adversary to install custom rootkits that can neutralize endpoint security mechanisms, hide malicious processes and network activity, maintain persistence and stealth on a compromised system, and more.

The assault involves a Windows OS downgrade attack technique that SafeBreach security researcher Alon Leviev demonstrated at Black Hat USA 2024 in August, and for which he developed an exploit tool called Windows Downdate. Leviev showed how an attacker, with admin-level access to a system, could tamper with the Windows Update process and revert fully patched Windows components, including dynamic link libraries, drivers, and the kernel, back to a previously vulnerable state.

Windows OS Downgrade Attack

As part of the demo, the researcher showed how the attack would work even in situations where an organization might have enabled virtualization-based security (VBS) to protect critical OS components. As part of the demo, Leviev downgraded VBS features like Secure Kernel and Credential Guard’s Isolated User Mode Process to expose privilege escalation vulnerabilities in them that Microsoft had previously already addressed.

“I was able to make a fully patched Windows machine susceptible to past vulnerabilities, turning fixed vulnerabilities unfixed and making the term ‘fully patched’ meaningless on any Windows machine in the world,” Leviev wrote in August.

Since then, Microsoft has patched two vulnerabilities (CVE-2024-21302 and CVE-2024-38202) that Leviev reported to the company after discovering and exploiting them as part of his attack chain. However, Microsoft has so far not addressed the ability for an attacker with admin access to abuse the Windows Update process itself to downgrade critical OS components back to insecure states.

Not a Security Vulnerability?

The issue has to do with Microsoft refusing to consider the ability for an admin-level user to gain kernel code execution as crossing a security boundary. “Microsoft did fix every vulnerability that resulted from crossing a defined security boundary,” Leviev tells Dark Reading. “Crossing from administrator to the kernel is not considered a security boundary, and hence it was not fixed.”

To show why that remains a threat, Leviev on Oct. 26 released details of a new Windows downgrade attack he developed, where he used his Windows Downdate tool to revive a driver signature enforcement (DSE) bypass attack that Microsoft had mitigated with its patch for CVE-2024-21302. He showed how an attacker could abuse the issue to load unsigned kernel drivers and deploy bespoke rootkits.

"The ‘ItsNotASecurityBoundary’ DSE bypass belongs to a new class of flaws known as False File Immutability (FFI)" that researchers at Elastic Security reported earlier this year, Leviev wrote in his Oct. 26 post. “This class exploits incorrect assumptions about file immutability — specifically, that blocking write access sharing makes a file immutable.”

Leviev says that all he had to do to execute the attack was to identify the specific OS module (CI.dll) to which Microsoft had applied the patch for CVE-2024-21302, and then use his Downdate tool to downgrade the module back to its unpatched version.

“Downgrading only ci.dll to its unpatched version works well against a fully patched Windows 11 23h2 machine,” Leviev wrote on Oct. 26. The researcher added he was able to exploit the issue even when VBS was enabled, with and without UEFI lock for securing the boot process and firmware configuration. “To fully mitigate the attack, VBS needs to be enabled with UEFI lock and the ‘Mandatory’ flag. Otherwise, it would be possible for an attacker to disable VBS, downgrade ci.dll, and successfully exploit the flaw,” he noted.

In an emailed comment, Tim Peck, senior threat researcher at Securonix, described the Windows Downdate attacks as taking advantage of Windows not always validating the version numbers of its DLLs when loading them. This enables “attackers to trick the operating system (OS) into using outdated files that are more susceptible to exploitation,” he explained. “If the attacker is able to downgrade Windows Defender, especially in regards to security updates, they would have free rein to execute malicious files or tactics that would normally have been caught.”

Microsoft Is Now Working on a Fix

A Microsoft spokesman noted in an email that the company is “actively developing mitigations to protect against these risks,” without specifying what measures it might be taking or when they would be available. The company is thoroughly investigating update development and compatibility development, he wrote.

“We are developing a security update that will revoke outdated, unpatched VBS system files to mitigate this threat,” he wrote. “Due to the complexity of blocking such a large quantity of files, rigorous testing is required to avoid integration failures or regressions.”

Microsoft will also continue to update information around CVE-2024-21302, he wrote, with additional mitigation or relevant risk reduction guidance as they become available.

About the Author

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master’s degree in Statistics and lives in Naperville, Ill.