New research being presented at the Black Hat security conference in Las Vegas today shows that a vulnerability in Windows Update could be exploited to downgrade Windows to older versions, exposing a slew of historical vulnerabilities that then can be exploited to gain full control of a system. Microsoft says that it is working on a complex process to carefully patch the issue, dubbed “Downdate.”
Alon Leviev, the SafeBreach Labs researcher who discovered the flaw, says he started looking for possible downgrade attack methods after seeing that a startling hacking campaign from last year was using a type of malware (known as the “BlackLotus UEFI bootkit”) that relied on downgrading the Windows boot manager to an old, vulnerable version. After probing the Windows Update flow, Leviev discovered a path to strategically downgrading Windows—either the entire operating system or just specifically chosen components. From there, he developed a proof-of-concept attack that utilized this access to disable the Windows protection known as Virtualization-Based Security (VBS) and ultimately target highly privileged code running in the computer’s core “kernel.”
“I found a downgrade exploit that is fully undetectable because it is performed by using Windows Update itself,” which the system trusts, Leviev told WIRED ahead of his conference talk. “In terms of invisibility, I didn’t uninstall any update—I basically updated the system even though under the hood it was downgraded. So the system is not aware of the downgrade and still appears up-to-date.”
Leviev’s downgrade capability comes from a flaw in the components of the Windows Update process. To perform an upgrade, your PC places what is essentially a request to update in a special update folder. It then presents this folder to the Microsoft update server, which checks and confirms its integrity. Next, the server creates an additional update folder for you that only it can control, where it places and finalizes the update and also stores an action list—called “pending.xml”—that includes the steps of the update plan, such as which files will be updated and where the new code will be stored on your computer. When you reboot your PC, it takes the actions from the list and updates the software.
The idea is that even if your computer, including your update folder, is compromised, a bad actor can’t hijack the update process because the crucial parts of it happen in the server-controlled update folder. Leviev looked closely at the different files in both the user’s update folder and the server’s update folder, though, and he eventually found that while he couldn’t modify the action list in the server’s update folder directly, one of the keys controlling it—called “PoqexecCmdline”—was not locked. This gave Leviev a way to manipulate the action list, and with it the entire update process, without the system realizing that anything was amiss.
With this control, Leviev then found strategies to downgrade multiple key components of Windows, including drivers, which coordinate with hardware peripherals; dynamic link libraries, which contain system programs and data; and, crucially, the NT kernel, which contains the most core instructions for a computer to run. All of these could be downgraded to older versions that contain known, patched vulnerabilities. And Leviev even cast a wider net from there, to find strategies for downgrading Windows security components including the Windows Secure Kernel; the Windows password and storage component Credential Guard; the hypervisor, which creates and oversees virtual machines on a system; and VBS, the Windows virtualization security mechanism.
The technique does not include a way to first gain remote access to a victim device, but for an attacker who already has initial access, it could enable a true rampage, because Windows Update is such a trusted mechanism and can reintroduce a vast array of dangerous vulnerabilities that have been fixed by Microsoft over the years. Microsoft says that it has not seen any attempts to exploit the technique.
“We are actively developing mitigations to protect against these risks while following an extensive process involving a thorough investigation, update development across all affected versions, and compatibility testing, to ensure maximized customer protection with minimized operational disruption,” a Microsoft spokesperson told WIRED in a statement.
Part of the company’s fix involves revoking vulnerable VBS system files, which must be done carefully and gradually, because it could cause integration issues or reintroduce other, unrelated problems that were previously addressed by those same system files.
Leviev emphasizes that downgrade attacks are an important threat for the developer community to consider as hackers endlessly seek paths into target systems that are stealthy and difficult to detect.