Security researcher discovered attack to downgrade Windows permanently

Martin Brinkmann
Aug 8, 2024
Security, Windows 11 News
|
8

One of the most important advices when it comes to the security of electronic devices is to make sure that they are up to date.

A security researcher discovered a new attack that downgrades Windows devices permanently. Information on the attack are available on the SafeBreach website.

Microsoft releases monthly security updates for Windows. It may also release out-of-bounds security updates; these are released when new vulnerabilities are actively exploited.

Good to known: Downgrading refers to uninstalling certain updates from a device. This may refer to uninstalling newer feature updates, but also to uninstalling a newer version of Windows.

While it is sometimes necessary to downgrade a PC, for instance when a new version is causing issues that cannot be fixed at the time, the process may also be used to remove certain security updates or protections from the operating system.

The Windows Downgrade Attack

Security researcher Alon Leviev developed the tool Windows Downdate to demonstrate that downgrade attacks are possible, even on fully patched versions of Windows.

He describes the tool in the following way: "a tool to take over the Windows Update process to craft fully undetectable, invisible, persistent, and irreversible downgrades on critical OS components—that allowed me to elevate privileges and bypass security features".

With the help of the tool, Leviev was able to turn fully patched and secured Windows devices to outdated Windows devices that were "susceptible to thousands of past vulnerabilities".

Leviev unveiled the research project at Black Hat USA 2024 and Def Con 32.  He managed to downgrade a fully patched Windows system successfully during demonstrations and prepared the systems in a special way, so that Windows Update would not find new updates.

To make matters worse, the downgrade attack is both undetectable by endpoint detection and response solutions and invisible in regards to the operating system's components. In other words, the operating system appears up-to-date, when in fact it is not.

The downgrade is also persistent and irreversible. The latter means that scan and repair tools to not detect issues or may repair the downgrade.

You may check out the blog post on the SafeBreach website for technical details.

Microsoft's response

Microsoft was informed about the vulnerability in advance. It is tracking the issues here:

  • CVE-2024-21302 -- Windows Secure Kernel Mode Elevation of Privilege Vulnerability
  • CVE-2024-38202 -- Windows Update Stack Elevation of Privilege Vulnerability

The maximum severity of both issues was set to important by Microsoft.

Microsoft has already added a detection to Microsoft Defender for Endpoint. This is designed to alert customers of exploit attempts.

The company is recommending several actions next to this. While they do not "mitigate the vulnerability", they "reduce the risk of exploitation".

In a nutshell:

  • Configure “Audit Object Access” settings to monitor attempts to access files, such as handle creation, read / write operations, or modifications to security descriptors.
  • KAuditing sensitive privileges used to identify access, modification, or replacement of VBS related files could help indicacte attempts to exploit this vulnerability.
  • Protect your Azure tenant by investigating administrators and users flagged for risky sign-ins and rotating their credentials.
  • Enabling Multi-Factor Authentication can also help alleviate concerns about compromised accounts or exposure.

Closing Words

The attack does require administrative privileges. A good precaution is to use a regular user account for day-to-day activities on Windows PCs. Microsoft will release a fix for the issue in the future.

What is your take on this? Feel free to leave a comment down below.

Summary
Article Name
Security researcher discovered attack to downgrade Windows permanently
Description
A security researcher discovered a new attack that downgrades Windows devices permanently.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Roger Irwin said on August 28, 2024 at 2:36 pm
    Reply

    After many-many years of loading win 7 from our O.E.M. DVD we found out about 6 months ago that this method suddenly ceased.
    Only after much unsuccessful testing we eventually realised that someone-somewhere had spiked our PC’s.
    We now have to load Win 7, ( we will never move on to any further Microsoft product) from the USB pen, but also have to disconnect the DVD player and any other hard drives.
    We are now testing various Ubuntu Linux operating systems, and testing the boundaries as to installing apps the do what we require.
    Roger

  2. John said on August 11, 2024 at 4:25 pm
    Reply

    Microsoft seems to have completely lost focus on protecting Windows and its core applications such as Office. I have reached a point after 20 something years of using Windows that my PC mostly sits idle anymore and when it dies I am not sure that I will replace it. Or at least not with a Windows PC. Microsoft today reminds me of what Boeing is going through. Just a total lack of focus on quality control any more about serving its investors.

    1. bruh said on August 14, 2024 at 4:09 pm
      Reply

      Lack of innovation is not the same as depreciation.

      I’m using Office 2007 (stagnant, stale, software), yet it’s totally fine. It’s not new and shiny, but who cares? What are you using that demands the latest & greatest? For most people, the answer is nothing!

      Microsoft didn’t suck 10-15 years ago, so I’ll continue to use that software, where it’s relevant, and other software, where suited. Nothing easier for quick photo touch ups than Office Picture Manager, for example, many years later.

      If you want to write guidance or documentation to the utmost best standard, I believe ALL office programs have been superceded with Latex and variants of that.

      Excel 2007? Show me a feature or formula it “doesn’t have” and I’ll show you a way to add that feature through pure code, either helper columns, or macros, it’ll be more robust and extensible than the “built-in” version anyway half the time.

      I can’t think of many companies in the tech space that are actually innovating, it seems all of them peaked already a while ago and are resting on their laurels. But the solution is to just not buy the latest product like some consoomer.

      You can diss Microsoft, but who to turn to? Who’s actually better, in 2024? I don’t see many compelling options, but maybe I am jaded.

  3. Harro Glööckler said on August 9, 2024 at 11:42 pm
    Reply

    Wouldn’t turning off System Restore and running “Dism.exe /online /Cleanup-Image /StartComponentCleanup /ResetBase” regularly after applying updates help since it removes all old update backups?

    At least that’s what i’m doing for years; System Restore is off since it was introduced in Windows ME because i hate it with passion and for all downgrades, problems, fixes, etc. i have daily incremental C:\ partition backups from a 3rd party software.

  4. John G. said on August 9, 2024 at 9:53 pm
    Reply

    > “Security researcher discovered attack to downgrade Windows permanently”

    LOL, even more?

    Thanks for the article! :]

  5. Tachy said on August 8, 2024 at 5:42 pm
    Reply

    The article doesn’t mention if it’s a “hands on” or “remote” attack.

    If an unknown attacker is sitting at my pc I’ve got other more serious problems that require an entirely different type of security response.

    It does appear to me it either requires hands on or that the target already be remotely accessible (hacked).

  6. ECJ said on August 8, 2024 at 5:13 pm
    Reply

    “…While they do not “mitigate the vulnerability”, they “reduce the risk of exploitation”.”

    Erm, why are they unable to provide a Group Policy setting that prevents downgrading or rolling back to an earlier version of Windows updates? This is the exact thing Security Baselines should protect against.

    1. pHROZEN gHOST said on August 9, 2024 at 3:37 pm
      Reply

      Please reread the article and you will know why downgrading is necessary.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.