A scorching potato: One other day, one other safety flaw found in Microsoft Home windows. The newest arrives courtesy of analysis offered on the Black Hat safety convention, which revealed a design flaw within the Home windows Replace structure that permits crucial OS parts to be downgraded by manipulating the replace course of. To be truthful, Microsoft is taking motion to enhance safety, lately incorporating this concern into worker evaluations. However its observe report doesn’t encourage confidence because the frequency and severity of its safety flaws counsel that Home windows programs are weak to a wide range of threats.
A big vulnerability in Microsoft Home windows safety instruments was unveiled on the Black Hat safety convention. Alon Leviev, a researcher from SafeBreach, showcased a way to take advantage of the Home windows replace course of, enabling attackers to downgrade programs to earlier variations. This course of reintroduces vulnerabilities which have already been patched within the present variations of Home windows.
The flaw entails crafting a customized downgrading motion record that’s added to the Home windows registry. This record is just not enforced by the Trusted Installer, which tips the system into accepting outdated and weak system information.
By renaming a file folder, the assault bypasses virtualization-based safety (VBS), permitting management over replace actions corresponding to file creation, deletion, and registry modification. This makes the assault seem as a reliable replace, rendering it undetectable by normal safety instruments.
As soon as the Safe Kernel or hypervisor is downgraded, the attacker can disable VBS, bypass UEFI locks, and extract credentials, even towards restrictive settings like Credential Guard and Home windows Defender.
The assault facilitates privilege escalation from Administrator to kernel stage and additional into the hypervisor, granting attackers entry to all remoted environments and the flexibility to take advantage of previous vulnerabilities within the virtualization stack.
The analysis discovered no current downgrade mitigation within the virtualization stack, leaving your entire system weak. This flaw underscores a broader concern that might doubtlessly have an effect on different working programs as nicely.
Microsoft has acknowledged the vulnerability and is engaged on mitigations. Nevertheless, a repair is complicated as a result of design flaw affecting a number of sub-programs. It might additionally take a while as rigorous testing is critical to keep away from integration failures or regressions. The excellent news is that Microsoft says it has not noticed any exploitation of this vulnerability within the wild but.
SafeBreach Labs responsibly disclosed the findings to Microsoft in February 2024. Leviev means that each distributors and researchers discover new assault vectors to stop related vulnerabilities.
The researcher additionally criticized Microsoft’s method of solely patching particular vulnerabilities quite than redesigning packages to eradicate complete lessons of assaults. In the meantime, in response to different safety points, Microsoft has pledged to combine safety efficiency into worker evaluations to enhance total safety measures.
