Your Windows Updates Can All Be Downgraded, Says Security Researcher (theregister.com) 45
Security researchers from SafeBreach have found what they say is a Windows downgrade attack
that's invisible, persistent, irreversible and maybe even more dangerous than last year's BlackLotus UEFI bootkit. From a report: After seeing the damage that UEFI bootkit could do by bypassing secure boot processes in Windows, SafeBreach's Alon Leviev became curious whether there were any other fundamental Windows components that could be abused in a similar manner. He hit the jackpot in one of the most unlikely places: The Windows update process.
"I found a way to take over Windows updates to update the system, but with control over all of the actual update contents," Leviev told us in an interview ahead of his Black Hat USA conference presentation today detailing his findings. Using his technique, having compromised a machine so that he could get in as a normal user, Leviev was able to control which files get updated, which registry keys are changed, which installers get used, and the like. And he was able to do all of it while side-stepping every single integrity verification implemented in the Windows update process. After that, "I was able to downgrade the OS kernel, DLLs, drivers ... basically everything that I wanted." To make matters worse, Leviev said that poking and prodding around the vulnerabilities he found enabled him to attack the entire Windows virtualization stack, including virtualization-based security (VBS) features that are supposed to isolate the kernel and make attacker access less valuable.
"I found a way to take over Windows updates to update the system, but with control over all of the actual update contents," Leviev told us in an interview ahead of his Black Hat USA conference presentation today detailing his findings. Using his technique, having compromised a machine so that he could get in as a normal user, Leviev was able to control which files get updated, which registry keys are changed, which installers get used, and the like. And he was able to do all of it while side-stepping every single integrity verification implemented in the Windows update process. After that, "I was able to downgrade the OS kernel, DLLs, drivers ... basically everything that I wanted." To make matters worse, Leviev said that poking and prodding around the vulnerabilities he found enabled him to attack the entire Windows virtualization stack, including virtualization-based security (VBS) features that are supposed to isolate the kernel and make attacker access less valuable.
"downgrade" (Score:5, Insightful)
Re: (Score:1)
it is a bad thing when it can all an unprivileged user to remove a patch that prevents RCE in a privileged process/kernel component, or allows a privilege escalation like the various print spooler attacks.
Re: (Score:1)
I joke but many users would like the ability to remove windows updates that are deemed detrimental
Re: (Score:3)
It is a fundamental failure of the security design. It is getting to a point were you need to be an IT security expert to operate Windows securely,
Re: (Score:2)
Hasn't that always been the case? Windows 10 came with SSLv3 and NT4 credentials (including LM, NTLM v1, v2) and even MD4 is still enabled and active in 10/Server 2016 by default, although Windows 11 has chopped a little bit at the edges of those things, it is still capable of having it enabled. There are various other things that I've ran across in the past that are simply mindboggling they are either allowed or enabled by default, like Windows 3.11 era stuff.
Every single Windows system needs to be hardene
Re: (Score:3)
Re: (Score:3)
The real problem with a downgrade of OS components is that it reintroduces vulnerabilities that have been fixed. Since these vulnerabilities have known exploits, from this one is able to take over the whole machine.
Re:"downgrade" (Score:4, Informative)
That say that word as if it's a bad thing.
That's because normal people understand that
Downgrade attacks—also known as version-rollback attacks—are a type of attack designed to revert an immune, fully up-to-date software back to an older version. They allow malicious actors to expose and exploit previously fixed/patched vulnerabilities to compromise systems and gain unauthorized access."
is in fact "a bad thing."
Re: (Score:2)
Then don't do it? Why would admins attack themselves?
Re: (Score:3)
Because it's not the admins. As I understand it, this allows an outside attacker to force an irreversible downgrade, allowing him to open some vulnerability he can then use to completely compromise the machine.
Re: (Score:2)
You understood wrong, probably mislead by so many posts here where people couldn't be bothered to click on the link from the article and assumed nobody would call an "escalating Admin privileges to ... more ..." (whatever that would be in Windows world) as an attack worth of getting any press.
Re: (Score:2)
Re: (Score:2)
> So, basically a privilege escalation attack. Yeah, seen that kind of exploit on every operating system with support for multiple users.
That's just the foothold for the attack. Usually you get local user by exploiting an unpatched server process. (IIS or whatever)
Re: (Score:3)
My understanding, which may well be wrong, is that this is a two-pronged attack.
Prong 1: As a normal user, you can deinstall a security patch for a security hole you already know how to exploit, without the admin knowing you have done so, such that those in charge of security believe the box fully patched.
Prong 2: Exploit the hole you've just punched.
In a properly configured network, it should never be possible to get this far, and active NIDS should be configured to look for known attacks, especially after
Re: (Score:3)
Unl
Re: (Score:2)
These are always bad because there is no such thing as a trusted user. Nobody is perfect. Even smart people get phished sometimes, if the payload they run can use tricks like this to escalate to privileged access.
Maybe there is an exploit in a browser or a e-mail client pdf reader, etc and they don't even need to get phished.
Now some will argue, so what all the good stuff on the box belongs to the user anyway. Sure but does it in a corporate environment? Now that your system you can get the SAM files, oh l
Re: (Score:2)
Note that in Windows, "untrusted user" basically means "user that is not a security expert" these days,
Re: (Score:2)
They already have a local account in these situations.
So for an attacker who doesn't have a local account, it's a three-step attack rather than two-step. You first have to get a normal user to execute your attack. This is typically not very hard at all.
Re: (Score:2)
Indeed. Obviously, normal users should never, ever be able to remove system-level security fixes. As to "properly configured network", basically no private users have them (I do, but I am not a regular user) and most companies do not have them either. Hence this is a pretty big deal.
Re: (Score:2)
Your understanding is wrong. This starts with an admin account.
Re: (Score:2)
Sorry, no. The CVE states the initial account has basic user privileges.
Re: (Score:2)
Which one?
https://nvd.nist.gov/vuln/deta... [nist.gov]
"enabling an attacker with administrator privileges to replace current versions of Windows system files with outdated versions"
https://nvd.nist.gov/vuln/deta... [nist.gov]
For exploitation to succeed, an attacker must trick or convince an Administrator or a user with delegated permissions into performing a system restore which inadvertently triggers the vulnerability.
Re: (Score:2)
Re: (Score:2)
the hack does depend upon gaining user level access to the target host
From actively attacking them, this covers more than 40% of the average internal user.
Farkers will happily approve MFA prompts whilst driving or golfing or picking socks.
Because 99.999999% of users are ... the wurst....
Personally - I cannot wait for our AI overlords to move in and slaughter the lot. With extreme prejudice.
Re: (Score:2)
The linked write up [safebreach.com] indicates that Microsoft forgot to set the permissions on their updater's registry keys such that an admin user couldn't overwrite them. (FYI: Those keys control not just the pending update list, but also what executable is used to perform the update. *facepalm*)
Windows also fai
I'm getting hungry (Score:2)
Windows reminds me of Swiss cheese on a cracker.
Re: (Score:2)
A cracker is way too hard to be used to describe Windows.
Re: I'm getting hungry (Score:2)
.su ot gnoleb era (Score:3)
...swodniW ruoy llA
In a properly designed network... (Score:2)
...the difficulty of ever crossing an edge should exceed the value of doing so, and there should be a minimum of two edges to cross before getting to any machine of value, where any data of value should be encrypted to a strength slightly in excess of the data's value.
Value should be in terms of not just monetary value but prestige value and competitive value (as hostile competitors might well "encourage" such attacks).
Economics dictates nobody is going to pay three times the price for something they can ge
Re: (Score:2)
The network perimeter is dead. Not that is would not be hugely useful. But with "modern" applications, operating things behind a real perimeter becomes very hard and most people and organizations have neither the skills not the budget to deal with that.
It is Microsoft. What do you expect? (Score:3)
They cannot get things right. Normally, user-level access should not be able to cause this type of issue.
Re: (Score:2)
FYI we are talking about Administrator access here. I don't know why there are tens of comments going on about user access bla bla. This "privilege escalation" thing STARTS WITH ADMINISTRATOR ACCESS.
Re: (Score:3)
I disagree. All people crying and moaning about the new exploit here are assuming it's a new exploit to become admin (or at least do stuff that regular users can't do) NOT that "admins can do stuff", that would be a nothingburger, you know the admin can do this, seriously, LOL, move along.
Alas, poor Authenticode, I knew him, Horatio! (Score:3)
Yes, if you have access to replace system binaries with older ones that at least used to work.
When I worked on Windows code signing, we'd keep a store of OS file signatures. We didn't remove old sigs when binaries were updated. We just added new sigs .
I'm guessing this is the same mechanism the dude is "exploiting" some 20 years later.
This required local admin or, under some circumstances, physical access.
abuse things the make WSUS work? (Score:2)
abuse things the make WSUS work?
As you can setup local WSUS's and use GPO to push systems to look at them.
So the windows update system is setup to trust local systems and they can push custom updates as well.
Re: (Score:2)
oh FFS. (Score:2)
having compromised a machine so that he could get in as a normal user
You already broke in, redecorating the curtains and ripping our the floor is nothing at that point.
I'm quick to reload these days (Score:2)
Needs ADMINISTRATOR access! (Score:2)
No, seriously, RTFA. The Administrator that probably by design can upgrade to a new Windows version if available, then downgrade to the old one if he doesn't like it! Can probably read and write any byte from the disk, heck can install Linux if desired. Sure that won't go through secure boot afterwards but if there is some signed code that's been working last week he can use that too without any trouble.
Windows (Score:2)
Maybe when you installed Windows you started the downgrade process yourself.