Security researchers from SafeBreach have discovered a Windows downgrade attack that is invisible, persistent, irreversible, and perhaps even more dangerous than BlackLotus UEFI bootkit last year.
After seeing the damage the UEFI bootkit could do by bypassing the secure boot processes in Windows, SafeBreach's Alon Leviev wondered if there were other Windows fundamentals that could be used in a similar way. He hit the jackpot in one of the most unlikely places: In the Windows update process.
"I found a way to take over Windows Updates to update the system, but with control over all the actual update contents," Leviev said in an interview ahead of the presentation. which he will be doing at the Black Hat USA conference today, which will describe detail his findings.
Using his technique, having hacked a machine so he could log in as a normal user, Leviev was able to control which files were updated, which registry keys were changed, which installers could be used, and the like.
Leviev was able to do all of this by bypassing every single integrity check applied to the Windows update process.
After that, "I was able to downgrade the OS kernel, DLLs, drivers ... basically everything I wanted."
To make matters worse, Leviev said that by picking vulnerabilities he was able to attack the entire Windows virtualization stack, including virtualization-based security (VBS) features that are supposed to isolate the kernel and make an attacker's access less important.