Microsoft posts guidance for CVE-2024-21302 VBS flaw that downgrades modern Windows PCs

Earlier today, Microsoft released Patch Tuesday updates for Windows 10 (KB5041580 / KB5041578 / KB5041773 / KB5041782) and Windows 11 versions 23H2, 22H2, 21H2 (KB5041585 / KB5041592), as well as for 24H2 (KB5041571).

In a separate post, the company confirmed that it has finally retired the troublesome WinRE KB5034440 and KB5034441 updates, although they have now been replaced by new ones.

In yet another support document, the tech giant has published mitigation guidance for a recent security vulnerability that came to light. The vulnerability allows an attacker to quietly downgrade the system to an older vulnerable state, and Windows would not be able to tell the difference. The issue is being tracked under IDs "CVE-2024-21302" and "CVE-2024-38202," which we covered in our dedicated article here.

The security researcher who discovered this has named the vulnerability "Windows Downdate" as the Windows Update process incorrectly tells the user of a compromised system that their software is up-to-date.

About the vulnerability, Microsoft writes on its MSRC website:

A security researcher informed Microsoft of an elevation of privilege vulnerability in Windows 10, Windows 11, Windows Server 2016, and higher based systems including Azure Virtual Machines (VM) that support VBS.

 

The vulnerability enables an attacker with administrator privileges on the target system to replace current Windows system files with outdated versions. Successful exploitation provides an attacker with the ability to reintroduce previously mitigated vulnerabilities, circumvent VBS security features, and exfiltrate data protected by VBS.

 

Microsoft is developing a security update that will revoke outdated, unpatched VBS system files to mitigate this vulnerability, but it is not yet available. Due to the complexity of blocking such a large quantity of files, rigorous testing is required to avoid integration failures or regressions.

In the new guidance post, Microsoft has provided more details, including mitigation information for most modern versions and editions of Windows 10, 11, and Server that have VBS (Virtualization-based Security). It writes:

Available mitigations

 

For all supported versions of Windows 10, version 1809 and later Windows versions, and Windows Server 2019 and later Windows Server versions, administrators can deploy a Microsoft-signed revocation policy (SkuSiPolicy.p7b). This will block vulnerable versions of VBS system files that are not updated from being loaded by the operating system.

 

Note Additional mitigations and mitigation support for all supported versions of Windows 10, version 1507 and earlier Windows versions, and Windows Server 2016 and earlier Windows Server versions are planned for future updates.

You can learn the full details about the mitigation deployment as well as the risks involved here on the official support document on Microsoft's website.

Home users may not install the revocation policy as the threat is a local attack that requires physical access to a victim's PC. It is probably better to wait for an automatic fix that Microsoft is expected to deploy via Windows Update (or some other channel) later.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of July): 3,313 news posts