Our generic understanding is that if we patch our system to the latest release, then we will stay safe, but the researchers at BlackHat 2024 have once again defied this thought. Alon Leviev, a researcher working at SafeBreach Labs, in his presentation at BlackHat, demonstrated a Windows Downgrade attack that enables attackers to take over the Windows Update process, downgrade critical components to vulnerable versions, and even bypass virtualization-based security (VBS) without physical access.
Leviv was able to replace critical OS components, elevate privileges, and strip security features in his demonstration despite the system being “fully patched.” The researcher used a vulnerability and fed it to a fully patched Windows system using the compromised Windows Update process. Leviev’s tool successfully bypassed all the verification steps, including integrity verification and Trusted Installer enforcement.
Critical files on the system are supposed to be “locked” or immutable. Windows considers these files to be safe and allows only read access to them. However, the researcher observed that the “immutable” files can still be tampered with/ altered when the system re-reads them from memory. During the reload, an attacker can swap the trusted files with the malicious ones. The exploit tagged as “ItsNotASecurityBoundary” bypasses one of the main kernel’s security enhancements, the Driver Signature Enforcement (DSE) feature. This vulnerability, according to the researcher, belongs to a new class of flaws known as False File Immutability.
Leviev also took a dig at virtualization-based security (VBS), which is not locked by default on UEFI and can be turned off by fiddling with a few registry files. The UEFI lock can also be bypassed if the Mandatory flag is not set, and this needs to be set manually, which is not done on most systems.
Microsoft is yet to find a resolution to the Downgrade attacks and needs to make its settings more stringent by default to safeguard the end users; until then, at least keep patching.
