A Windows vulnerability has been discovered that could allow security updates to be rolled back

In order to bypass Windows security features, in particular Driver Signature Enforcement, attackers can downgrade the versions of system kernel components and deploy rootkits in it. Hackers are able to take control of the Windows update mechanism in order to introduce outdated and vulnerable software components onto the updated machine – while the system formally maintains its status up-to-date.

Image source: Ricardo Resende / unsplash.com

The problem was reported by SafeBreach expert Alon Leviev, but Microsoft rejected it, saying that it does not exceed the specified threat level because it allows code to run in the kernel only with administrator privileges. The researcher has developed and published a Windows Downdate tool that allows you to arbitrarily downgrade components and re-open already known vulnerabilities on a seemingly completely updated OS. He managed to bypass the Driver Signature Enforcement (DSE) feature, which allows a hypothetical attacker to download unsigned drivers and deploy a rootkit that disables security controls. In this case, the hacker’s actions will remain unnoticed.

While studying the mechanism of malicious rollback of component versions, Leviev discovered a vulnerability, which was assigned the number CVE-2024-21302. It allows you to escalate user privileges, and Microsoft has closed it. But the Windows Update vulnerability remains relevant. The attack, as demonstrated by the researcher, is carried out by replacing the ci.dll file, responsible for ensuring the operation of DSE, with an older version, which does not require drivers to be signed and allows them to bypass security measures – a vulnerable copy of the library is loaded into memory immediately after Windows begins checking its latest copy. As a result, the system “thinks” it has verified the file and allows unsigned drivers to be loaded into the kernel.

The expert described a method for disabling or bypassing Microsoft Virtualization-based Security (VBS), which creates an isolated environment in Windows to protect important resources. Usually, UEFI and registry configuration changes are blocked for this, but it can be disabled if it does not have maximum security settings – to do this, you need to change one of the keys in the registry. When partially disabled, some VBS files may be replaced by vulnerable versions, opening the door to interference with Windows Update. Mr. Leviev points out that downgrade procedures must be carefully monitored, even if these procedures do not exceed specified threat levels.

admin

Share
Published by
admin

Recent Posts

Scientists have proven the existence of a new type of superconductivity

An international team of physicists led by scientists from Yale University in the United States…

8 hours ago

China’s semiconductor industry, even taking into account the October slowdown, remains one of the fastest growing in the country

The production of semiconductor products remains an important export item for China, in monetary terms…

8 hours ago

ByteDance, with a capitalization of $300 billion, claims to be the most valuable Chinese company in the technology sector

The popularity of ByteDance-owned social network TikTok has clearly made the parent company one of…

9 hours ago

Slitterhead is weird Japanese, just like the good old ones. Review

Played on Xbox Series S The Sony Japan Studio team has been the purveyor of…

16 hours ago

Elon Musk’s xAI startup will receive $5 billion from the Arabs to purchase another 100 thousand NVIDIA accelerators

As CNBC reports, Elon Musk's xAI startup has attracted multibillion-dollar investments: the money will be…

19 hours ago