Man
Professional
- Messages
- 3,222
- Reaction score
- 807
- Points
- 113
The bundle of functions requires special configuration to prevent an update rollback attack.
SafeBreach specialist Alon Leviev found that attackers can use outdated components of the Windows kernel to bypass key protections, such as Driver Signature Enforcement, which allows rootkits to be injected even on fully updated systems. This method of attack was made possible by intercepting the Windows Update process, which makes it possible to install vulnerable, outdated components on the updated system without changing its status.
Leviev also developed the Windows Downdate tool, which allows for a custom rollback and makes a "fully updated" system susceptible to already fixed flaws. Leviev said that he was able to make previously fixed vulnerabilities become relevant again, which actually devalues the concept of "fully updated" Windows. This method is called a downgrade attack.
Using this approach, the researcher identified a new vulnerability CVE-2024-21302 (CVSS score: 6.7), which allows privilege escalation on Windows devices, including virtual machines and other functions. Microsoft quickly patched the vulnerability as it crossed the so-called "security boundary." However, the method of capturing updates remains unchanged as it is not considered a direct security breach.
Despite the fix, the error is still dangerous because by hijacking the update process, an attacker can restore old problems in the system. One of the targets of the attacks is the Driver Signature Enforcement (DSE) feature, which typically prevents unsigned drivers from running. By repairing a vulnerability in DSE, a hacker can download malicious drivers to the system and hide their actions by bypassing Windows' defense mechanisms.
The researcher also showed that other Windows security features, such as Virtualization-Based Security (VBS), can be bypassed by modifying keys in the registry. If VBS is not configured for maximum security, key files such as SecureKernel.exe can be replaced with vulnerable versions, allowing you to bypass protection and manipulate system components. That being said, Microsoft has UEFI-level security methods, but enabling them requires additional configuration. Full protection is only available when VBS is activated with mandatory UEFI lockout.
Microsoft, in turn, said that it is developing an update to eliminate these vulnerabilities, as well as creating mechanisms to block outdated VBS system files. However, the exact timing of the release of fixes is not specified as thorough testing is required to prevent failures and incompatibilities.
The company is now urging security teams to be vigilant and watch for possible version rollback attacks, as they pose a serious threat to organizations.
SafeBreach specialist Alon Leviev found that attackers can use outdated components of the Windows kernel to bypass key protections, such as Driver Signature Enforcement, which allows rootkits to be injected even on fully updated systems. This method of attack was made possible by intercepting the Windows Update process, which makes it possible to install vulnerable, outdated components on the updated system without changing its status.
Leviev also developed the Windows Downdate tool, which allows for a custom rollback and makes a "fully updated" system susceptible to already fixed flaws. Leviev said that he was able to make previously fixed vulnerabilities become relevant again, which actually devalues the concept of "fully updated" Windows. This method is called a downgrade attack.
Using this approach, the researcher identified a new vulnerability CVE-2024-21302 (CVSS score: 6.7), which allows privilege escalation on Windows devices, including virtual machines and other functions. Microsoft quickly patched the vulnerability as it crossed the so-called "security boundary." However, the method of capturing updates remains unchanged as it is not considered a direct security breach.
Despite the fix, the error is still dangerous because by hijacking the update process, an attacker can restore old problems in the system. One of the targets of the attacks is the Driver Signature Enforcement (DSE) feature, which typically prevents unsigned drivers from running. By repairing a vulnerability in DSE, a hacker can download malicious drivers to the system and hide their actions by bypassing Windows' defense mechanisms.
The researcher also showed that other Windows security features, such as Virtualization-Based Security (VBS), can be bypassed by modifying keys in the registry. If VBS is not configured for maximum security, key files such as SecureKernel.exe can be replaced with vulnerable versions, allowing you to bypass protection and manipulate system components. That being said, Microsoft has UEFI-level security methods, but enabling them requires additional configuration. Full protection is only available when VBS is activated with mandatory UEFI lockout.
Microsoft, in turn, said that it is developing an update to eliminate these vulnerabilities, as well as creating mechanisms to block outdated VBS system files. However, the exact timing of the release of fixes is not specified as thorough testing is required to prevent failures and incompatibilities.
The company is now urging security teams to be vigilant and watch for possible version rollback attacks, as they pose a serious threat to organizations.
Last edited:
