This Attack Pushes Windows Update to the Dark Side

Every month, you trust Windows Update to improve and secure your operating system. At Black Hat, we got a peek at what happens when malefactors twist it to downgrade security instead.

LAS VEGAS—If a powerful program reached into your Windows operating system and made fundamental changes to its functionality, including changes to security, you might consider it a dangerous attack on system integrity. But when that powerful program is Windows Update, well, it’s just fine. Every month, sometimes more often, Windows Update does its thing. Alon Leviev, Security Researcher at SafeBreach, scrutinized the process for ways malware coders might misuse it. At the Black Hat conference here, he revealed multiple techniques that force Windows Update to downgrade system security.

Inspired by Black Lotus Attack

Leviev led off with his inspiration—the downgrade attack called Black Lotus, which managed to defeat the touted Secure Boot system that’s the core of Windows 11 security. With Secure Boot, five distinct Windows components participate, each vetting the next. Black Lotus worked by replacing one of those components with an earlier vulnerable version. And Microsoft foiled it by banning old, revoked components from the process.

“Are there any other components that may be vulnerable to downgrade attacks?” mused Leviev. “My research was to find out.”

What makes a complete and perfect downgrade attack? Leviev broke it down into four criteria: it should be undetectable, invisible, persistent, and irreversible. Undetectable goes without saying, as built-in security would fend off any overt attack. Likewise, it must be invisible to active defenses. There’s no point in forcing a downgrade if a regular Windows Update will undo your work, so it needs to be persistent. For that matter, why not make it impossible to reverse the attack?

The Weakest Link

On the face of it, Windows Update seems well-protected. Your PC submits a folder of files for update, but after that, a hardened Trusted Installer owns the show. It performs upgrades, catalogs what it did, digitally signs its activities, and makes everything ready to install the upgraded files at the next update.

Leviev noted several blind alleys that didn’t play out. Not until he looked at the list of actions that must be performed during that reboot. “Maybe I could compromise the action list? Where does it save its state between reboots?” he wondered.

Indeed, that proved to be the weak link. By controlling the action list, he could make changes to the system with the full power of Windows Update. To prevent the reversal of the changes, he compromised the component that parses the action list. He patched the System Integrity Checker so it wouldn’t flag his changes as illegitimate. When the fully fleshed-out attack finished, he could downgrade any part of Windows to a version subject to exploitation. “It makes the term 'fully patched' meaningless across any Windows machine worldwide,” concluded Leviev.

Worthy of Applause

The presentation didn’t end there. Leviev went on to display more arcane abilities granted by his downgrade attack, up to and including compromising the Windows kernel and the Hypervisor system. With all the pieces in place, he performed a live demo that started with a safe Windows 11 installation and proceeded to disable Credential Guard and replace other important components, resulting in the ability to read out all the system passwords and other secrets. The audience didn’t quite go for a standing ovation, but they applauded with enthusiasm.

As far as I can tell, this attack remains valid. You’re not likely to see the effects on your own computer, but it could power a formidable targeted attack. Perhaps at the next Black Hat conference, we’ll enjoy a presentation from Microsoft’s designers on how they hardened Windows against this downdate attack.

Source