Your victim's Windows PC fully patched? Just force undo its updates and exploit away

This guy showed the world how – with the right level of access

Black Hat Techniques to forcibly remove security patches from Windows machines so that fixed vulnerabilities are exploitable again were demonstrated this week.

These methods are a handy means for rogue users, intruders, and malware that already have a presence on a victim's computer to remove updates supplied by Microsoft so that old bugs can be abused to fully hijack the box, possibly without even setting off any threat-detection tools.

It appears you must already have administrative access, or be able to make a privileged account complete some steps, to pull these attacks off. If you have that kind of access, you can already do a lot of damage and steal a lot of things from the system, so we can't see this research being that devastating for most people.

Still, some miscreants out there might find it useful to really drill into and persist quietly in a target's environment, plus it reveals more about the inner workings of Windows, and so it's arguably worth pointing it out to folks.

The approach was developed Alon Leviev, a researcher at infosec biz SafeBreach, and revealed at the Black Hat conference in Las Vegas. It was inspired by the BlackLotus UEFI bootkit that downgraded the Windows boot manager to an exploitable version so that Secure Boot could be bypassed.

I was able to downgrade the OS kernel, DLLs, drivers … basically everything that I wanted

"I found a way to take over Windows updates to update the system, but with control over all of the actual update contents," Leviev told us in an interview prior to his event talk. "I was able to downgrade the OS kernel, DLLs, drivers … basically everything that I wanted."

That forcible unauthorized downgrade can be performed against Windows 10 and 11 and Windows Server editions, plus the operating system's virtualization support.

"The entire virtualization stack is vulnerable to downgrades as well," Leviev told us. "It's simple to downgrade credential guard, the secure kernel, and even the hypervisor itself, and compromising the hypervisor gives even more privilege than the kernel, which makes it even more valuable."

What's more, we're told, it's stealthy. "It is fully undetectable because it's performed in the most legitimate way [and] is invisible because we didn't install anything - we updated the system," Leviev told us.

Response

The SafeBreach bod tipped off Microsoft about the weaknesses he found six months ago, and the IT giant, to coincide with his conference presentation on Wednesday, issued two out-of-band advisories. The Windows maker has yet to formulate a full fix for the security holes Leviev discovered, and it is for now alerting customers.

"We appreciate the work of SafeBreach in identifying and responsibly reporting this vulnerability through a coordinated vulnerability disclosure," Microsoft said in a statement.

"We are actively developing mitigations to protect against these risks while following an extensive process involving a thorough investigation, update development across all affected versions, and compatibility testing, to ensure maximized customer protection with minimized operational disruption.”

The first advisory from Redmond, tracked as CVE-2024-38202, tackles what Microsoft has accepted is an elevation-of-privilege vulnerability in the Windows Update Stack. It reads:

Microsoft was notified that an elevation of privilege vulnerability exists in Windows Backup, potentially enabling an attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security.

Microsoft is developing a security update to mitigate this threat, but it is not yet available.

Microsoft is not aware of any attempts to exploit this vulnerability. However, a public presentation regarding this vulnerability was hosted at BlackHat on August 7, 2024. The presentation was appropriately coordinated with Microsoft but may change the threat landscape.

Thus, it's possible to force a system to undo its updates, so that it's exploitable again.

Redmond recommends users check out the above advisory for more details on how to mitigate this threat. The IT giant indicated that though this is exploitable by non-privileged and non-administrator users, extra steps are needed involving a privileged account to pull off this forced, unauthorized rollback of updates.

"An attacker attempting to exploit this vulnerability requires additional interaction by a privileged user to be successful," Microsoft pointed out.

Next, there's CVE-2024-21302, described by Microsoft as a Windows secure kernel mode elevation-of-privilege vulnerability. This requires admin rights to execute. We're told:

Microsoft was notified that an elevation of privilege vulnerability exists in Windows based systems supporting Virtualization Based Security (VBS) including a subset of Azure Virtual Machine SKUS; enabling an attacker with administrator privileges to replace current versions of Windows system files with outdated versions.

By exploiting this vulnerability, an attacker could reintroduce previously mitigated vulnerabilities, circumvent some features of VBS, and exfiltrate data protected by VBS.

A proof-of-concept tool to pull all this off, called Windows Downdate, was developed by Leviev and introduced at Black Hat. Presumably it'll be made available so that folks can assess how vulnerable they are to these shortcomings. The researcher published his findings in full here if you're interested. ®

More about

TIP US OFF

Send us news


Other stories you might like