The most important advice when it comes to protecting electronic devices is to make sure they are up to date.
A security researcher has discovered a new attack that permanently downgrades Windows devices. Information about the attack is available here Safe violation Website.
Microsoft releases monthly security updates for Windows. It may also release out-of-bounds security updates; these are released when new vulnerabilities are actively exploited.
It’s good to be knownDowngrading means uninstalling some updates from a device. This can mean uninstalling new feature updates, but also uninstalling a newer version of Windows.
While it is sometimes necessary to downgrade a PC, for example when the new version is causing problems that cannot be fixed at that time, this process can also be used to remove certain security updates or protections from the operating system.
windows downgrade attack
Security researcher Alan Leviev developed a tool called Windows Downdate to demonstrate that downgrade attacks are possible, even on fully patched versions of Windows.
He describes the tool as follows: “It’s a tool that creates a completely invisible, unseen, permanent, and irreversible downgrade on critical OS components by taking control of the Windows Update process – allowing me to escalate privileges and bypass security features.”
With this tool, Leviev was able to convert older Windows devices, which were “vulnerable to thousands of previous vulnerabilities,” into fully patched and secure Windows devices.
Leviev unveiled the research project at Black Hat USA 2024 and Def Con 32. He managed to successfully downgrade a fully patched Windows system during the demonstrations and prepared the system in a special way so that Windows Update would not find new updates.
To make matters worse, the downgrade attack is not detectable by endpoint detection and response solutions and is invisible with respect to the operating system components. In other words, the operating system appears up-to-date, when in fact it is not.
The downgrade is also persistent and irreversible. The latter means that scan and repair tools cannot detect problems or repair the downgrade.
You can check out the blog post on the SafeBreach website for technical details.
Microsoft’s response
Microsoft was already notified of this vulnerability. It is monitoring the issue:
- CVE-2024-21302 — Windows Secure Kernel Mode Privilege Elevation Vulnerability
- CVE-2024-38202 — Windows Update Stack Privilege Elevation Vulnerability
The maximum severity of both issues was set to Critical by Microsoft.
Microsoft has already added a detection to Microsoft Defender for Endpoints. It is designed to alert customers about exploit attempts.
The company is also recommending several other steps. While they do not “mitigate the vulnerability,” they do “reduce the risk of exploitation.”
In short:
- Configure the “Audit object access” settings to monitor attempts to access files, such as handle creation, read/write operations, or modifications to security descriptors.
- KAuditing the sensitive privileges used to identify access, modification, or substitution of VBS-related files could help pinpoint attempts to exploit this vulnerability.
- Protect your Azure tenant by checking administrators and users marked for risky sign-ins and changing their credentials.
- Enabling multi-factor authentication can also help reduce concerns about exposure or risk to accounts.
Closing words
This attack requires administrative privileges. A good precaution is to use a regular user account for day-to-day activities on a Windows PC. Microsoft will release a fix for this issue in the future.
What is your opinion on this? Please leave a comment below.
Thanks for reading..
