August 7, 2024 at 11:12AM
SafeBreach Labs researcher Alon Leviev disclosed critical flaws in Microsoft’s Windows Update, enabling software downgrade attacks that render fully patched Windows machines susceptible to past vulnerabilities. Leviev demonstrated these downgrades at the recent Black Hat conference in Las Vegas and worked with Microsoft to develop a security update to mitigate the threat.
From the provided meeting notes, it’s clear that SafeBreach Labs researcher Alon Leviev has identified major gaps in Microsoft’s Windows Update architecture. Leviev demonstrated the ability to craft custom downgrades on critical OS components, elevate privileges, and bypass security features, effectively making a fully patched Windows machine susceptible to past vulnerabilities.
Leviev found a way to manipulate an action list XML file to push a ‘Windows Downdate’ tool that bypasses verification steps, downgrading essential OS components and causing the operating system to falsely report that it is fully updated. He also identified vulnerabilities in the Windows Update architecture that could allow downgrading key operating components and bypassing security features.
SafeBreach Labs reported these issues to Microsoft in February, and Microsoft is developing a security update to revoke outdated, unpatched VBS system files to mitigate the threat. Microsoft plans to publish a CVE alongside Leviev’s Black Hat presentation and will provide customers with mitigations or relevant risk reduction guidance.
Leviev’s research raises concerns about undetectable and invisible software downgrade attacks with potential implications beyond the Windows operating system. This highlights the importance of addressing these vulnerabilities and implementing comprehensive patches to protect users from downgrade attacks.