Security researcher Alon Levie from the company SafeBreach has discovered a vulnerability in Windows Update that allows attackers to downgrade an actually secure Windows and make it vulnerable. This is known as a downgrade attack.
Levie presented this frightening vulnerability at the Black Hat 2024 security conference. According to BleepingComputer, Windows 10, Windows 11, and Windows Server are all at risk.
Through this vulnerability, an attacker can uninstall security updates that have already been installed on a Windows system to open up old security flaws that were patched. In effect, the attacker rolls back the up-to-date Windows system to an older version with holes.
It’s a horror scenario for every Windows user who regularly keeps their Windows system updated and feels secure.
According to the IT blog Borncity, Microsoft has been aware of this vulnerability since February 2024 but hasn’t done anything about it yet. However, Microsoft is currently working on patching the problem; until then, the company has published CVE-2024-38202 and CVE-2024-21302, which show how to limit damage until a fix is released.
How does the downgrade attack work?
A hacker can exploit this flaw to take full control of the update process and penetrate the Windows system, which would otherwise be secure because it’s been sufficiently patched.
Specifically, the flaw allows the attacker to update certain DLL files, drivers, and the NT kernel to an older version that makes them re-vulnerable to previously fixed issues.
But that’s not all, as the security expert writes:
“We then aimed higher, and found that the entire virtualization stack is at risk too. We successfully downgraded Hyper-V’s hypervisor, Secure Kernel, and Credential Guard’s Isolated User Mode process to expose past privilege escalation vulnerabilities.
Furthermore, we discovered multiple ways to disable Virtualization-Based Security (VBS), including its features such as Credential Guard and Hypervisor-Protected Code integrity (HVCI), even when enforced with UEFI locks. To our knowledge, it’s the first time VBS’s UEFI locks are bypassed without physical access.”
However, since Windows itself still reports that it is up-to-date, security tools currently don’t recognize The issue — and even worse, Windows will no longer install future updates.
According to Microsoft, there are currently no known attempts to exploit this vulnerability in the wild. Microsoft advises users to implement the recommendations in its security notes to minimize risk of exploitation until Microsoft releases an official security update.
This article originally appeared on our sister publication PC-WELT and was translated and localized from German.
