New research being presented at the Black Hat security conference in Las Vegas today shows that a vulnerability in Windows Update could be exploited to upgrade Windows to older versions, exposing a number of historical vulnerabilities that can then be exploited to gain full control of a system. Microsoft says it is working on a complex process to carefully patch the problem, dubbed “Downdate.”
Alon Leviev, the SafeBreach Labs researcher who discovered the flaw, says he began looking into possible downgrade attack methods after seeing a surprising hacking campaign last year. I was using a type of malware (known as the “BlackLotus UEFI bootkit”) that relied on downgrading the Windows boot manager to an old, vulnerable version. After investigating the Windows Update flow, Leviev discovered a path to strategically downgrade Windows, either the entire operating system or just specifically chosen components. From there, he developed a proof-of-concept attack that used this access to disable Windows protection known as Virtualization-Based Security (VBS) and ultimately target highly privileged code running in the computer’s core “kernel.”
“I found a downgrade exploit that is completely undetectable because it runs through Windows Update itself,” which the system relies on, Leviev told WIRED ahead of his talk. “In terms of invisibility, I didn’t uninstall any updates; I basically updated the system even though it was actually downgraded. So the system is not aware of the downgrade and still appears to be up to date.”
Leviev’s ability to perform upgrades to a previous version stems from a flaw in components of the Windows Update process. To perform an upgrade, your PC places what is essentially an upgrade request into a special update folder. It then presents this folder to Microsoft’s update server, which verifies and confirms its integrity. The server then creates an additional update folder for you that only it can control, where it places and finalizes the upgrade and also stores a list of actions, called “pending.xml,” that includes the steps in the upgrade plan, such as which files will be upgraded and where the new code will be stored on your computer. When you restart your PC, it performs the actions on the list and updates the software.
The idea is that even if your computer, including your update folder, is compromised, a malicious actor can’t hijack the update process because crucial parts of it happen in the server-controlled update folder. However, Leviev took a close look at the different files in both the user update folder and the server update folder, and eventually discovered that while he couldn’t modify the list of actions in the server update folder directly, one of the keys controlling it, called “PoqexecCmdline,” wasn’t blocked. This gave Leviev a way to manipulate the list of actions — and with it, the entire update process — without the system realizing anything was amiss.
With this control, Leviev found strategies to downgrade several key Windows components, including drivers, which coordinate with hardware peripherals; dynamic-link libraries, which contain programs and system data; and, crucially, the NT kernel, which contains most of the basic instructions for a computer to function. All of these could be downgraded to older versions that contain known and patched vulnerabilities. And Leviev even cast his net wider from there, to find strategies to downgrade Windows security components, including the Windows Secure Core; the Windows Credential Guard password and storage component; the hypervisor, which creates and monitors virtual machines on a system; and VBS, the Windows virtualization security mechanism.
The technique doesn’t include a way to gain remote access to the victim’s device, but for an attacker who already has initial access, it could allow for a real massacre, because Windows Update is a very reliable mechanism and can reintroduce a wide range of dangerous vulnerabilities that Microsoft has patched over the years. Microsoft says it hasn’t seen any attempts to exploit the technique.
“We are actively developing mitigations to protect against these risks while following an extensive process that includes thorough investigation, development of updates on all affected versions, and compatibility testing, to ensure maximum customer protection with minimal operational disruption,” a Microsoft spokesperson told WIRED in a statement.
Part of the company’s solution involves revoking the vulnerable VBS system files, which must be done carefully and gradually because it could cause integration issues or reintroduce other, unrelated problems that were already addressed by those same system files.
Leviev emphasizes that downgrade attacks are a major threat that the developer community must consider, as hackers are constantly looking for paths into target systems that are stealthy and difficult to detect.