Saturday, November 23, 2024
Saturday, November 23, 2024
- Advertisement -

Hackers can attack Microsoft Windows by downgrading versions

Ability to downgrade pivotal components, including the kernel itself, expands the attack surface for cybercriminals

Must Read

- Advertisement -
- Advertisement -
  • Attackers can gain control over update mechanism, enabling them to downgrade critical system components to versions known to harbour vulnerabilities.
  • Emergence of vulnerabilities like the ones presented by Leviev at Black Hat USA 2024 illustrates the ongoing challenges in cybersecurity.
  • Failure to automatically enforce the “Mandatory” flag when the UEFI lock is engaged presents a critical oversight that could be easily exploited by attackers.

Microsoft has made substantial improvements, in recent years, to fortify the Windows kernel against potential compromises.

Despite these advancements, researchers and cybersecurity professionals continue to uncover vulnerabilities that could be exploited by malicious actors, particularly those with administrative privileges.

The demonstration by Alon Leviev of SafeBreach Labs at Black Hat USA 2024 sheds light on a particularly concerning method known as the “Windows Downdate” attack, which reveals lingering security gaps within the Windows Update process.

A substantial threat

Leviev’s research illustrated a substantial threat wherein attackers can gain control over the update mechanism, enabling them to downgrade critical system components to versions known to harbour vulnerabilities.

The manipulation undermines the integrity of virtualisation-based security (VBS), achieving a complete compromise of the operating system while giving the misleading appearance of being fully patched. The essence of this exploit lies not solely in the takeover itself but also in the exploitation of inherent flaws within the Windows security framework.

A key focus of Leviev’s findings is the concept of “False File Immutability,” which describes the vulnerability allowing attackers to manipulate so-called immutable files.

Stealthy rootkits

These files are considered secure by the Windows operating system; however, Leviev demonstrated that during system reloading from memory, it is possible for an attacker to substitute a verified catalogue with a malicious counterpart.

The substitution effectively bypasses critical security measures such as Driver Signature Enforcement (DSE), enabling the installation of unsigned kernel drivers that can facilitate a range of malicious actions, including the deployment of stealthy rootkits.

Leviev’s exploration underscores the limitations of current security protocols, particularly concerning the ease with which certain vulnerabilities can be exploited.

The ability to downgrade pivotal components, including the kernel itself, expands the attack surface for cybercriminals. The inherent flexibility not only allows for the exploitation of existing vulnerabilities but also highlights the precarious nature of operating system security, where the manipulation of essential files can result in significant consequences for system integrity.

Moreover, the potential to disable VBS by modifying registry keys reveals another level of risk within the Windows ecosystem. Despite improvements to security measures, the failure to automatically enforce the “Mandatory” flag when the UEFI lock is engaged presents a critical oversight that could be easily exploited by attackers.

The implication of Leviev’s findings is stark: unless proactive measures are taken to address these vulnerabilities, systems may remain at risk, even in a seemingly hardened environment.

Related Posts:



Sign up to receive top stories every day

- Advertisement -

Latest News

Locad raises $9m to spread wings into UAE and Saudi Arabia

Locad new funding will also be used to enhance Locad's AI-driven smart logistics capabilities.

UAE stands at helm of tech-driven banking revolution in Mideast

UAE commands major portion of region’s $3.2tr banking assets and aims at establishing a global benchmark.

India takes regulatory action against WhatsApp and fines $25.4m

CCI directes WhatsApp to cease sharing of user data with other applications owned by Meta Platforms
- Advertisement -
- Advertisement -

More Articles

- Advertisement -