Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Microsoft Security Windows IT

Your Windows Updates Can All Be Downgraded, Says Security Researcher (theregister.com) 45

Security researchers from SafeBreach have found what they say is a Windows downgrade attack that's invisible, persistent, irreversible and maybe even more dangerous than last year's BlackLotus UEFI bootkit. From a report: After seeing the damage that UEFI bootkit could do by bypassing secure boot processes in Windows, SafeBreach's Alon Leviev became curious whether there were any other fundamental Windows components that could be abused in a similar manner. He hit the jackpot in one of the most unlikely places: The Windows update process.

"I found a way to take over Windows updates to update the system, but with control over all of the actual update contents," Leviev told us in an interview ahead of his Black Hat USA conference presentation today detailing his findings. Using his technique, having compromised a machine so that he could get in as a normal user, Leviev was able to control which files get updated, which registry keys are changed, which installers get used, and the like. And he was able to do all of it while side-stepping every single integrity verification implemented in the Windows update process. After that, "I was able to downgrade the OS kernel, DLLs, drivers ... basically everything that I wanted." To make matters worse, Leviev said that poking and prodding around the vulnerabilities he found enabled him to attack the entire Windows virtualization stack, including virtualization-based security (VBS) features that are supposed to isolate the kernel and make attacker access less valuable.

This discussion has been archived. No new comments can be posted.

Your Windows Updates Can All Be Downgraded, Says Security Researcher

Comments Filter:
  • "downgrade" (Score:5, Insightful)

    by Malay2bowman ( 10422660 ) on Wednesday August 07, 2024 @02:25PM (#64688416)
    That say that word as if it's a bad thing.
    • by DarkOx ( 621550 )

      it is a bad thing when it can all an unprivileged user to remove a patch that prevents RCE in a privileged process/kernel component, or allows a privilege escalation like the various print spooler attacks.

      • by Anonymous Coward
        A small price to pay to remove built-in spyware? ;-)

        I joke but many users would like the ability to remove windows updates that are deemed detrimental

      • by gweihir ( 88907 )

        It is a fundamental failure of the security design. It is getting to a point were you need to be an IT security expert to operate Windows securely,

        • by guruevi ( 827432 )

          Hasn't that always been the case? Windows 10 came with SSLv3 and NT4 credentials (including LM, NTLM v1, v2) and even MD4 is still enabled and active in 10/Server 2016 by default, although Windows 11 has chopped a little bit at the edges of those things, it is still capable of having it enabled. There are various other things that I've ran across in the past that are simply mindboggling they are either allowed or enabled by default, like Windows 3.11 era stuff.

          Every single Windows system needs to be hardene

      • Downgrade is a sword that cuts both ways. Yes, it can be used as you described, but it can also be used to get back features that were removed, remove added owner hostile lockdowns, or to get rid of any spyware/telemetry/"you are the product" crap that the company decided to "upgrade" your OS to. Most people don't really give a crap about some of these things, but many of us do. It's ashame that the concept of downgrading is being made to look bad because of this malware.
        • by jvkjvk ( 102057 )

          The real problem with a downgrade of OS components is that it reintroduces vulnerabilities that have been fixed. Since these vulnerabilities have known exploits, from this one is able to take over the whole machine.

    • Re:"downgrade" (Score:4, Informative)

      by apparently ( 756613 ) on Wednesday August 07, 2024 @03:42PM (#64688652)

      That say that word as if it's a bad thing.

      That's because normal people understand that

      Downgrade attacks—also known as version-rollback attacks—are a type of attack designed to revert an immune, fully up-to-date software back to an older version. They allow malicious actors to expose and exploit previously fixed/patched vulnerabilities to compromise systems and gain unauthorized access."

      is in fact "a bad thing."

      • Then don't do it? Why would admins attack themselves?

        • Because it's not the admins. As I understand it, this allows an outside attacker to force an irreversible downgrade, allowing him to open some vulnerability he can then use to completely compromise the machine.

          • You understood wrong, probably mislead by so many posts here where people couldn't be bothered to click on the link from the article and assumed nobody would call an "escalating Admin privileges to ... more ..." (whatever that would be in Windows world) as an attack worth of getting any press.

  • Comment removed based on user account deletion
    • > So, basically a privilege escalation attack. Yeah, seen that kind of exploit on every operating system with support for multiple users.

      That's just the foothold for the attack. Usually you get local user by exploiting an unpatched server process. (IIS or whatever)

    • by jd ( 1658 )

      My understanding, which may well be wrong, is that this is a two-pronged attack.

      Prong 1: As a normal user, you can deinstall a security patch for a security hole you already know how to exploit, without the admin knowing you have done so, such that those in charge of security believe the box fully patched.

      Prong 2: Exploit the hole you've just punched.

      In a properly configured network, it should never be possible to get this far, and active NIDS should be configured to look for known attacks, especially after

      • They already have a local account in these situations. Might be a problem for VPS providers running something like Parallels RAS, but shouldn't impact most systems where the attacker won't have an account. Once you have a local account, you can run local exploits and transport them to the system using encrypted RDP or Secure Shell (on newer Windows systems). NIDS isn't going to detect any of that. They are mainly geared toward finding shellcode on un-encrypted connections or other exploit signatures.

        Unl
        • by DarkOx ( 621550 )

          These are always bad because there is no such thing as a trusted user. Nobody is perfect. Even smart people get phished sometimes, if the payload they run can use tricks like this to escalate to privileged access.

          Maybe there is an exploit in a browser or a e-mail client pdf reader, etc and they don't even need to get phished.

          Now some will argue, so what all the good stuff on the box belongs to the user anyway. Sure but does it in a corporate environment? Now that your system you can get the SAM files, oh l

        • by gweihir ( 88907 )

          Note that in Windows, "untrusted user" basically means "user that is not a security expert" these days,

        • They already have a local account in these situations.

          So for an attacker who doesn't have a local account, it's a three-step attack rather than two-step. You first have to get a normal user to execute your attack. This is typically not very hard at all.

      • by gweihir ( 88907 )

        Indeed. Obviously, normal users should never, ever be able to remove system-level security fixes. As to "properly configured network", basically no private users have them (I do, but I am not a regular user) and most companies do not have them either. Hence this is a pretty big deal.

      • Your understanding is wrong. This starts with an admin account.

        • by jd ( 1658 )

          Sorry, no. The CVE states the initial account has basic user privileges.

          • Which one?

            https://nvd.nist.gov/vuln/deta... [nist.gov]

            "enabling an attacker with administrator privileges to replace current versions of Windows system files with outdated versions"

            https://nvd.nist.gov/vuln/deta... [nist.gov]

            For exploitation to succeed, an attacker must trick or convince an Administrator or a user with delegated permissions into performing a system restore which inadvertently triggers the vulnerability.

      • The first prong is CVE-2024-38202; "A security researcher informed Microsoft of an elevation of privilege vulnerability in Windows Backup potentially enabling an attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of VBS. For exploitation to succeed, an attacker must trick or convince an Administrator or a user with delegated permissions into performing a system restore which inadvertently triggers the vulnerability."
    • the hack does depend upon gaining user level access to the target host

      From actively attacking them, this covers more than 40% of the average internal user.

      Farkers will happily approve MFA prompts whilst driving or golfing or picking socks.

      Because 99.999999% of users are ... the wurst....

      Personally - I cannot wait for our AI overlords to move in and slaughter the lot. With extreme prejudice.

    • From the look of it, it's not much of one. TFS fails to mention that the privilege escalation is from Administrator to Kernel. NOT User to Administrator. A normal user would not be able to perform the exploit.

      The linked write up [safebreach.com] indicates that Microsoft forgot to set the permissions on their updater's registry keys such that an admin user couldn't overwrite them. (FYI: Those keys control not just the pending update list, but also what executable is used to perform the update. *facepalm*)

      Windows also fai
  • Windows reminds me of Swiss cheese on a cracker.

  • by jddj ( 1085169 ) on Wednesday August 07, 2024 @02:46PM (#64688476) Journal

    ...swodniW ruoy llA

  • ...the difficulty of ever crossing an edge should exceed the value of doing so, and there should be a minimum of two edges to cross before getting to any machine of value, where any data of value should be encrypted to a strength slightly in excess of the data's value.

    Value should be in terms of not just monetary value but prestige value and competitive value (as hostile competitors might well "encourage" such attacks).

    Economics dictates nobody is going to pay three times the price for something they can ge

    • by gweihir ( 88907 )

      The network perimeter is dead. Not that is would not be hugely useful. But with "modern" applications, operating things behind a real perimeter becomes very hard and most people and organizations have neither the skills not the budget to deal with that.

  • by gweihir ( 88907 ) on Wednesday August 07, 2024 @03:23PM (#64688566)

    They cannot get things right. Normally, user-level access should not be able to cause this type of issue.

    • FYI we are talking about Administrator access here. I don't know why there are tens of comments going on about user access bla bla. This "privilege escalation" thing STARTS WITH ADMINISTRATOR ACCESS.

  • by YetAnotherDrew ( 664604 ) on Wednesday August 07, 2024 @03:38PM (#64688632)

    Yes, if you have access to replace system binaries with older ones that at least used to work.

    When I worked on Windows code signing, we'd keep a store of OS file signatures. We didn't remove old sigs when binaries were updated. We just added new sigs .

    I'm guessing this is the same mechanism the dude is "exploiting" some 20 years later.

    This required local admin or, under some circumstances, physical access.

    • abuse things the make WSUS work?

      As you can setup local WSUS's and use GPO to push systems to look at them.

      So the windows update system is setup to trust local systems and they can push custom updates as well.

      • I don't think that works exactly as you would like us to think. Could you explain step by step wherin no step crosses multiple security boundaries?
  • having compromised a machine so that he could get in as a normal user

    You already broke in, redecorating the curtains and ripping our the floor is nothing at that point.

  • Its quick and often quicker these days than trying to fix a damaged installation. I do the initial install then move back to my desk to complete it. So if I discover one that has even a hint of a PUP on it I reload it.
  • No, seriously, RTFA. The Administrator that probably by design can upgrade to a new Windows version if available, then downgrade to the old one if he doesn't like it! Can probably read and write any byte from the disk, heck can install Linux if desired. Sure that won't go through secure boot afterwards but if there is some signed code that's been working last week he can use that too without any trouble.

  • Maybe when you installed Windows you started the downgrade process yourself.

On a clear disk you can seek forever. -- P. Denning

Working...