A Flaw in Windows Update Opens the Door to Zombie Exploits

New probe being presented astatine the Black Hat information league successful Las Vegas contiguous shows that a vulnerability successful Windows Update could beryllium exploited to downgrade Windows to older versions, exposing a slew of humanities vulnerabilities that past tin beryllium exploited to summation afloat power of a system. Microsoft says that it is moving connected a analyzable process to cautiously spot the issue, dubbed “Downdate.”

Alon Leviev, the SafeBreach Labs researcher who discovered the flaw, says helium started looking for imaginable downgrade onslaught methods aft seeing that a startling hacking run from past twelvemonth was utilizing a benignant of malware (known arsenic the “BlackLotus UEFI bootkit”) that relied connected downgrading the Windows footwear manager to an old, susceptible version. After probing the Windows Update flow, Leviev discovered a way to strategically downgrading Windows—either the full operating strategy oregon conscionable specifically chosen components. From there, helium developed a proof-of-concept onslaught that utilized this entree to disable the Windows extortion known arsenic Virtualization-Based Security (VBS) and yet people highly privileged codification moving successful the computer's halfway “kernel.”

“I recovered a downgrade exploit that is afloat undetectable due to the fact that it is performed by utilizing Windows Update itself,” which the strategy trusts, Leviev told WIRED up of his league talk. “In presumption of invisibility, I didn't uninstall immoderate update—I fundamentally updated the strategy adjacent though nether the hood it was downgraded. So the strategy is not alert of the downgrade and inactive appears up-to-date.”

Leviev's downgrade capableness comes from a flaw successful the components of the Windows Update process. To execute an upgrade, your PC places what is fundamentally a petition to update successful a peculiar update folder. It past presents this folder to the Microsoft update server, which checks and confirms its integrity. Next, the server creates an further update folder for you that lone it tin control, wherever it places and finalizes the update and besides stores an enactment list—called “pending.xml”—that includes the steps of the update plan, specified arsenic which files volition beryllium updated and wherever the caller codification volition beryllium stored connected your computer. When you reboot your PC, it takes the actions from the database and updates the software.

The thought is that adjacent if your computer, including your update folder, is compromised, a atrocious histrion can't hijack the update process due to the fact that the important parts of it hap successful the server-controlled update folder. Leviev looked intimately astatine the antithetic files successful some the user's update folder and the server's update folder, though, and helium yet recovered that portion helium couldn't modify the enactment database successful the server's update folder directly, 1 of the keys controlling it—called “PoqexecCmdline”—was not locked. This gave Leviev a mode to manipulate the enactment list, and with it the full update process, without the strategy realizing that thing was amiss.

With this control, Leviev past recovered strategies to downgrade aggregate cardinal components of Windows, including drivers, which coordinate with hardware peripherals; dynamic nexus libraries, which incorporate strategy programs and data; and, crucially, the NT kernel, which contains the astir halfway instructions for a machine to run. All of these could beryllium downgraded to older versions that incorporate known, patched vulnerabilities. And Leviev adjacent formed a wider nett from there, to find strategies for downgrading Windows information components including the Windows Secure Kernel; the Windows password and retention constituent Credential Guard; the hypervisor, which creates and oversees virtual machines connected a system; and VBS, the Windows virtualization information mechanism.

The method does not see a mode to archetypal summation distant entree to a unfortunate device, but for an attacker who already has archetypal access, it could alteration a existent rampage, due to the fact that Windows Update is specified a trusted mechanics and tin reintroduce a immense array of unsafe vulnerabilities that person been fixed by Microsoft implicit the years. Microsoft says that it has not seen immoderate attempts to exploit the technique.

“We are actively processing mitigations to support against these risks portion pursuing an extended process involving a thorough investigation, update improvement crossed each affected versions, and compatibility testing, to guarantee maximized lawsuit extortion with minimized operational disruption,” a Microsoft spokesperson told WIRED successful a statement.

Part of the company's hole involves revoking susceptible VBS strategy files, which indispensable beryllium done cautiously and gradually, due to the fact that it could origin integration issues oregon reintroduce other, unrelated problems that were antecedently addressed by those aforesaid strategy files.

Leviev emphasizes that downgrade attacks are an important menace for the developer assemblage to see arsenic hackers endlessly question paths into people systems that are stealthy and hard to detect.