Photo: Wachiwit / Shutterstock.com
A newly discovered vulnerability in Windows Update could allow attackers to downgrade Windows systems to older, insecure versions. This flaw, dubbed as ‘Downdate,’ could expose millions of computers to a host of historical vulnerabilities, enabling hackers to seize control of affected systems.
The campaign utilised the BlackLouts UEFI bootkit, a type of malware that downgrades the Windows boot manager to an older, more vulnerable version. Intrigued by the potential for broader exploitation, researchers delved into the Windows Update process and identified a way to systematically downgrade Windows, either entirely or by targeting specific components.
The flaw lies in the intricate process that Windows Update follows to apply system upgrades. Normally, when a user initiates an update, the system creates a request in a designated folder.
“With a research goal of developing an undetectable downgrade flow for Microsoft Windows, the Windows Update process seemed like the least suspicious entity through which I might execute such an attack. As I explored the intricacies of the Windows Update process, I discovered a significant flaw that allowed me to take full control of the process,” explained security researcher Alon Leviev. “As a result, I created Windows Downdate, a tool that implemented downgrading updates and bypassed all verification steps, including integrity verification and Trusted Installer enforcement.”
This request is then verified by Microsoft’s update server, which generates a separate, secure folder containing the necessary update files and an action list known as ‘pending.xml,’ which dictates the update sequence.
Although the server-controlled update folder is designated tamper-proof, researchers found a loophole. A key element, ‘PoqexecCmdline,’ was left unprotected, allowing researchers to alter the action list without triggering any security alarms.
This manipulation enables an attacker to downgrade critical Windows components, including drivers, system libraries, and even the NT kernel, which is the heart of the operating system.
By exploiting this vulnerability, attackers could effectively roll back the clock on a Windows system, reintroducing a range of vulnerabilities that Microsoft has patched over the years. One of the most concerning flaws is the ability to disable Virtualisation-Based Security (VBS), a critical Windows feature designed to protect the operating system’s kernel from malicious code.
While not providing initial access to a target system, this technique can significantly enhance the capabilities of an attacker who has already infiltrated a network.
The trustworthiness and stealth of the Windows Update process, often utilised in this attack, make it particularly alarming, as it can operate undetected, leaving the system appearing up-to-date while introducing a downgrade.
Microsoft has acknowledged the vulnerability and is actively working on a solution. The company emphasised the complexity of the patching process, which involves revoking vulnerable files without causing further disruptions. Before the complete fix, Microsoft released two CVEs — CVE-2024-21301 and CVE-2024-38002 to pause the attack.
“We are actively developing mitigations to protect against these risks while following an extensive process involving a thorough investigation, update development across all affected versions, and compatibility testing to ensure maximised customer protection, with minimised operations disruption,” a Microsoft spokesperson told Wired.
The fix’s delicate nature means it will take time to implement. Microsoft’s approach involves carefully revoking compromised VBS system files, which must be handled precisely to avoid reintroducing previously resolved issues.
In the News: Chrome, Safari, and Firefox at risk from 0.0.0.0-day exploit