Researchers Find Downgrade Vulnerability in Windows 10/11 that Can Restore Previously Fixed High-Risk Vulnerabilities
Brook.X
It's undeniable that researchers have a knack for finding unique approaches, managing to uncover security vulnerabilities in Windows Update under Microsoft's stringent defenses, and then forging files to execute downgrades, thereby restoring security vulnerabilities that had been previously fixed in the system.
During the Black Hat conference held today in Las Vegas, Alon Levie, a security researcher from SafeBreach Labs, revealed the vulnerability. Microsoft has confirmed that this vulnerability is exploitable and has announced plans to fix it.
How the Vulnerability Works:
When Windows systems are set to upgrade, they place upgrade requests into a special folder, which is then sent to Microsoft's update servers. These servers check the integrity of this folder.
Subsequently, the server creates an additional update folder that only the update server can control. The server sends both the updates and a complete list of operations for installing the updates to the system, which then executes the operations as listed.
Microsoft's security rationale behind this method is that even if a computer is compromised by hackers, they cannot hijack the entire update process because the system will always operate according to the procedure issued by Microsoft's update servers.
However, there's a flaw in this process. Although attackers can't directly modify the operation list in the server's update folder, a key value used to control the operation list isn't locked. This can be manipulated to control the entire update process without the system detecting anything amiss.
Implications of Successful Exploitation:
Researchers found that exploiting this vulnerability could downgrade several critical components of Windows, including drivers, system programs, dynamic link libraries, and even the Windows NT kernel.
Since the system is unaware that it has been quietly downgraded (believing that it has completed an upgrade), hackers can exploit vulnerabilities that Microsoft has already fixed to launch attacks.
Researchers have even found strategies for downgrading Windows security components, including the Windows Security Kernel, Credential Manager, and the Virtualization-Based Security (VBS) mechanism.
This technique doesn't directly enable hackers to gain remote access. However, if a hacker already has initial access, they could use the vulnerability to downgrade the system and exploit other known security vulnerabilities, thus taking control over the system.
Microsoft's Response:
Microsoft has stated that there have been no attempts exploiting this vulnerability yet. The company is actively developing mitigation measures to prevent such attacks and conducting thorough investigations to identify all affected versions, develop fixes, and perform compatibility tests. They aim to complete these fixes with minimal impact on customers.
