New Windows Flaw Lets Hackers Undo Security Patches

The Windows Update takeover vulnerability, while not technically a vulnerability, allows attackers to bypass critical security measures like Driver Signature Enforcement, enabling the loading of unsigned kernel drivers, leading to the installation of stealthy rootkits, potentially compromising entire systems.

Downgrade attacks exploit vulnerabilities in older software versions to compromise systems. The BlackLotus UEFI Bootkit used a downgrade attack to bypass Secure Boot and infect fully patched Windows 11 systems, which highlights the need for robust downgrade protection mechanisms in operating systems. 

The researcher exploited vulnerabilities in the Windows Update process to create a tool, Windows Downdate, that enabled downgrading critical OS components, including the NT kernel and virtualization components. 

They also bypassed Windows security patches, compromising “fully patched” machines and exposing them to old vulnerabilities, which highlights a weakness in the current patching model.

The “ItsNotASecurityBoundary” DSE bypass exploits a False File Immutability (FFI) vulnerability to bypass write access restrictions, allowing attackers to replace verified security catalogs with malicious ones and load unsigned kernel drivers.

To address a downgrade attack, they plan to downgrade the `ci.dll` module to version 10.0.22621.1376, which is the vulnerable version. This action is necessary to circumvent the security patch that was applied to this module. 

Reverting the Patch

VBS offers varying levels of security, from optional to mandatory. While VBS without a UEFI lock can be potentially disabled, a UEFI lock and the “Mandatory” flag significantly enhance security by preventing unauthorized VBS modifications, making it significantly harder to circumvent. 

Without UEFI, lock can be exploited by disabling key registry settings, downgrading ci.dll, and restarting the system, which allows an attacker to bypass VBS protections and execute malicious code through the “ItsNotASecurityBoundary” vulnerability.

It is with UEFI lock safeguarding VBS configuration by copying it to a non-volatile UEFI variable. Subsequent VBS configuration changes are sourced from this variable, preventing remote modification and ensuring system integrity.

overwritten with the variable’s configuration

By invalidating SecureKernel.exe and downgrading ci.dll to the unpatched version, an attacker can bypass VBS’s protections, restart the machine, and exploit the “ItsNotASecurityBoundary” vulnerability.

VBS UEFI lock with the “Mandatory” flag, enabled through the registry and UEFI variable, causes boot failure if VBS files are corrupted. While the flag isn’t automatically set, it can be manually configured and recently gained official documentation. 

According to SafeBreach, to mitigate the attack, enable UEFI lock and the “Mandatory” flag for VBS using registry commands. Restart the machine for changes to take effect. If the UEFI lock is already configured, disable it temporarily, set the flag, then re-enable the lock.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here