Security
Headlines
HeadlinesLatestCVEs

Headline

Windows Downgrade Attack Risks Exposing Patched Systems to Old Vulnerabilities

Microsoft said it is developing security updates to address two loopholes that it said could be abused to stage downgrade attacks against the Windows update architecture and replace current versions of the operating system files with older versions. The vulnerabilities are listed below -

CVE-2024-38202 (CVSS score: 7.3) - Windows Update Stack Elevation of Privilege Vulnerability CVE-2024-21302

The Hacker News
#vulnerability#mac#windows#microsoft#zero_day#The Hacker News

Windows Security / Vulnerability

Microsoft said it is developing security updates to address two loopholes that it said could be abused to stage downgrade attacks against the Windows update architecture and replace current versions of the operating system files with older versions.

The vulnerabilities are listed below -

  • CVE-2024-38202 (CVSS score: 7.3) - Windows Update Stack Elevation of Privilege Vulnerability
  • CVE-2024-21302 (CVSS score: 6.7) - Windows Secure Kernel Mode Elevation of Privilege Vulnerability

Credited with discovering and reporting the flaws is SafeBreach Labs researcher Alon Leviev, who presented the findings at Black Hat USA 2024 and DEF CON 32.

CVE-2024-38202, which is rooted in the Windows Backup component, allows an “attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS),” the tech giant said.

It, however, noted that an attacker attempting to leverage the flaw would have to convince an Administrator or a user with delegated permissions to perform a system restore which inadvertently triggers the vulnerability.

The second vulnerability also concerns a case of privilege escalation in Windows systems that support VBS, effectively allowing an adversary to replace current versions of Windows system files with outdated versions.

The consequences of CVE-2024-21302 are that it could be weaponized to reintroduce previously addressed security flaws, bypass some features of VBS, and exfiltrate data protected by VBS.

Leviev, who detailed a tool dubbed Windows Downdate, said it could be used to turn a “fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term ‘fully patched’ meaningless on any Windows machine in the world.”

The tool, Leviev added, could “take over the Windows Update process to craft fully undetectable, invisible, persistent, and irreversible downgrades on critical OS components—that allowed me to elevate privileges and bypass security features.”

Furthermore, Windows Downdate is capable of bypassing verification steps, such as integrity verification and Trusted Installer enforcement, effectively making it possible to downgrade critical operating system components, including dynamic link libraries (DLLs), drivers, and NT kernel.

The issues, on top of that, could be exploited to downgrade Credential Guard’s Isolated User Mode Process, Secure Kernel, and Hyper-V’s hypervisor to expose past privilege escalation vulnerabilities, as well as disable VBS, alongside features like Hypervisor-Protected Code integrity (HVCI).

The net result is that a completely patched Windows system could be rendered susceptible to thousands of past vulnerabilities and turn fixed shortcomings into zero-days.

These downgrades have an added impact in that the operating system reports that the system is fully updated, while simultaneously preventing the installation of future updates and inhibiting detection by recovery and scanning tools.

“The downgrade attack I was able to achieve on the virtualization stack within Windows was possible due to a design flaw that permitted less privileged virtual trust levels/rings to update components residing in more privileged virtual trust levels/rings,” Leviev said.

“This was very surprising, given Microsoft’s VBS features were announced in 2015, meaning the downgrade attack surface I discovered has existed for almost a decade.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

Windows 'Downdate' Attack Reverts Patched PCs to a Vulnerable State

Windows 11 machines remain open to downgrade attacks, where attackers can abuse the Windows Update process to revive a patched driver signature enforcement (DSE) bypass.

Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel

A new attack technique could be used to bypass Microsoft's Driver Signature Enforcement (DSE) on fully patched Windows systems, leading to operating system (OS) downgrade attacks. "This bypass allows loading unsigned kernel drivers, enabling attackers to deploy custom rootkits that can neutralize security controls, hide processes and network activity, maintain stealth, and much more," SafeBreach

Microsoft patches bug that could have allowed an attacker to revert your computer back to an older, vulnerable version

A researcher used two Windows vulnerabilities to perform downgrade attacks. These flaws have now been patched by Microsoft

Microsoft Issues Patches for 90 Flaws, Including 10 Critical Zero-Day Exploits

Microsoft on Tuesday shipped fixes to address a total of 90 security flaws, including 10 zero-days, of which six have come under active exploitation in the wild. Of the 90 bugs, seven are rated Critical, 79 are rated Important, and one is rated Moderate in severity. This is also in addition to 36 vulnerabilities that the tech giant resolved in its Edge browser since last month. The Patch Tuesday

Talos discovers Microsoft kernel mode driver vulnerabilities that could lead to SYSTEM privileges; Seven other critical issues disclosed

The most serious of the issues included in August’s Patch Tuesday is CVE-2024-38063, a remote code execution vulnerability in Windows TCP/IP.

Microsoft Warns of Unpatched Office Vulnerability Leading to Data Exposure

Microsoft has disclosed an unpatched zero-day in Office that, if successfully exploited, could result in unauthorized disclosure of sensitive information to malicious actors. The vulnerability, tracked as CVE-2024-38200 (CVSS score: 7.5), has been described as a spoofing flaw that affects the following versions of Office - Microsoft Office 2016 for 32-bit edition and 64-bit editions Microsoft