Security researcher demos bypassing security to permanently downgrade Window 10/11

windows 11 and windows 10 logos in red

Microsoft places in a number of guards to make Home windows as safe as it may. It pushes monthly Patch Tuesday updates which, because the identify suggests, are supposed to patch safety flaws. Not simply Home windows, Microsoft additionally made Secure Boot a compulsory requirement on Home windows 11 to make sure, as greatest as doable, safe firmware updates.

Nevertheless, regardless of all these measures, risk actors and cybercriminals are all the time on the prowl to seek out methods to bypass them. In March of final 12 months, the BlackLotus UEFI Secure Boot vulnerability, which has since been patched, surfaced that might bypass Safe Boot, VBS (Virtualization-based Safety), HVCI (Hypervisor-Protected Code Integrity), and extra, on absolutely up to date techniques.

A safety researcher Alon Leviev determined to check whether or not related protections in opposition to such downgrade assaults had been put in place for the Home windows Replace course of. Sadly for Microsoft and Home windows customers, Leviev discovered that such was not the case in any respect.

As such, Leviev developed Home windows Downdate, a “software to take over the Home windows Replace course of to craft absolutely undetectable, invisible, persistent, and irreversible downgrades on vital OS elements” together with the DLLs, drivers, and even the Home windows kernel.

Utilizing this, the researcher demonstrated, at Black Hat and DEF CON, how even after a downgrade assault, Home windows would report that it was absolutely up to date and was unable to put in future updates; and restoration instruments had been unable to detect any points.

This basically leaves the person of such a compromised PC clueless about what is occurring, though the intense spot is that it is a native assault which suggests the risk actor would wish bodily entry to your system.

Within the video under, the Ancillary Operate kernel driver (AFD.SYS) is downgraded to an older model on a Home windows 11 23H2 system.

Anton Leviev has offered a abstract of how Home windows Downdate labored:

  • First, the downgrade should be absolutely undetectable, in order that endpoint detection and response (EDR) options can not block the downgrade. Thus, I aimed to carry out the downgrade in probably the most official manner doable.

  • Second, the downgrade should be invisible. The downgraded elements ought to seem up-to-date, even when they’ve technically been downgraded.

  • Third, the downgrade should be persistent, in order that future software program updates don’t overwrite it.

  • Lastly, the downgrade should be irreversible, in order that scanning and repairing instruments won’t be able to detect or restore the downgrade.

Yow will discover extra technical particulars about it on the supply hyperlinks under.

In a bit of fine information, Microsoft was notified about this vulnerability earlier than the general public demonstration and the corporate is monitoring the flaw below IDs “CVE-2024-21302” and “CVE-2024-38202” on its MSRC web site.

Supply: SafeBreach, DEF CON, Black Hat

Sensi Tech Hub
Logo