A recent discovery has exposed a significant flaw in Windows, known as the “Windows Zero-day Downgrade Attack,” that allows threat actors to downgrade fully updated systems to versions with known vulnerabilities. This attack method is particularly alarming because it exploits the trust users place in Windows Update, a cornerstone of maintaining system security. 

The Mechanics of the Windows Zero-day Downgrade Attack

At the heart of this attack is a vulnerability that enables attackers to take full control of the Windows Update process. By manipulating this process, they can create a tool—referred to as “Windows Downdate”—that downgrades critical OS components to older, vulnerable versions. Despite these downgrades, the operating system continues to report that it is fully updated, leaving the system vulnerable to previously patched exploits.

Key points include:

• Creation of Windows Downdate: Allows downgrading of critical OS components like DLLs, drivers, and the NT kernel.
• False Security Reporting: The OS falsely reports as fully updated while remaining vulnerable.
• BlackLotus UEFI Bootkit: Demonstrates the attack by downgrading the Windows Boot Manager, allowing bypass of Secure Boot.

 Exploiting Windows Update Architecture

The Windows Update architecture consists of an update client and an update server, where the server-side enforcement by the Trusted Installer ensures that system files cannot be modified by unauthorized users. However, researchers discovered a flaw that allowed them to bypass these protections. 

Important findings:

• Manipulation of pending.xml: Attackers can change the source and destination of update files, effectively downgrading the system.
• Registry Key Vulnerability: Certain registry keys, like the one controlling the pending.xml path, are not enforced by the Trusted Installer, allowing unauthorized control of the update process.

Three Key Actions: 

1.   Setting the Trusted Installer service to Auto-Start
2.   Adding the pending.xml path in the registry
3.   Manipulating the update process to downgrade system files

Implications for System Security

The consequences of the Windows Zero-day Downgrade Attack are severe. By downgrading critical security components, attackers can expose systems to past vulnerabilities. The attack also evades detection by standard recovery and scanning tools.

Key implications:

• Security Component Downgrade: Credential Guard, Secure Kernel, and Hyper-V’s hypervisor can be downgraded, exposing the system to old vulnerabilities.
• Disabling VBS: Windows Virtualization-Based Security (VBS) can be disabled, including Credential Guard and Hypervisor-Protected Code Integrity (HVCI).
• Persistent Attack: The use of the poqexec.exe file, despite not being digitally signed, allows the attack to persist and evade detection.

 Microsoft’s Response

In response to this critical vulnerability, Microsoft has issued two CVEs: CVE-2024-21302 and CVE-2024-38202. The company is actively developing mitigations to address these risks, ensuring thorough investigation and testing.

Key Takeaways

The research surrounding the Windows Zero-day Downgrade Attack highlights critical implications not only for Microsoft Windows, the world’s most widely used desktop OS, but also for other operating system vendors that may be vulnerable to similar downgrade attacks. The findings suggest several key takeaways:

• Need for Increased Awareness and Research: This research revealed no existing mitigations to prevent the downgrading of critical OS components in Microsoft Windows. It is crucial for OS vendors to recognize that other operating systems could be equally susceptible to similar attack vectors. Vigilance and proactive research into OS-based downgrade attacks are essential to safeguarding against these threats.
• Review and Reinforce Design Features: Operating system design features, regardless of their age, should be continuously reviewed as potential attack surfaces. The downgrade attack on Windows’ virtualization stack was enabled by a design flaw that allowed less privileged virtual trust levels to update components in more privileged levels. This flaw has existed since the introduction of Microsoft’s VBS features in 2015, underscoring the need for ongoing scrutiny of OS design to prevent exploitation.
• Thorough Examination of In-the-Wild Attacks: Real-world attacks, like the BlackLotus UEFI Bootkit, serve as critical case studies that bring new attack vectors, such as downgrade attacks, to the forefront of cybersecurity discussions. Expanding upon these findings through research is vital to staying ahead of malicious actors. This proactive approach ensures that potential vulnerabilities are identified and addressed before they can be exploited in the wild.

The Windows Zero-day Downgrade Attack represents a significant threat to system security, demonstrating how vulnerabilities in trusted processes like Windows Update can be exploited. This attack underscores the importance of ongoing vigilance in cybersecurity, requiring robust, layered defenses to detect and mitigate sophisticated threats. Organizations and individuals must stay informed and take proactive measures to protect their systems from potential exploitation.

References

Downgrade Attacks Using Windows Updates | SafeBreach

CVE-2024-21302 – Security Update Guide – Microsoft – Windows Secure Kernel Mode Elevation of Privilege Vulnerability

CVE-2024-38202 – Security Update Guide – Microsoft – Windows Update Stack Elevation of Privilege Vulnerability