Networking, Vulnerability Management, Patch/Configuration Management

Windows Update takeover lets an attacker revive a patched flaw

Share
Windows 11 start button on computer menu screen close up view

Microsoft typically operates under the assumption that if an attacker has administrative privileges, gaining kernel-level code execution doesn’t cross a defined security boundary and therefore they don’t consider it a critical vulnerability needing immediate remediation.

In an Oct. 26 blog post, SafeBreach researchers argued that Microsoft’s narrow definition leaves systems vulnerable to deploying custom rootkits that can neutralize security controls because it doesn’t account for admins or malware with admin rights undermining critical security mechanisms.

The researchers point out that while significant enhancements have been made to strengthen kernel security against compromise by administrator privileges, the ability to downgrade kernel components unfortunately makes compromising the kernel much simpler.

A Microsoft spokesperson issue the following statement in response to the SafeBreach research: “We appreciate the work of SafeBreach in identifying and responsibly reporting this vulnerability through a coordinated vulnerability disclosure. We are actively developing mitigations to protect against these risks while following an extensive process involving a thorough investigation, update development across all affected versions, and compatibility testing, to ensure maximized customer protection with minimized operational disruption.” 

Jason Soroko, senior fellow at Sectigo, explained that the researchers demonstrated that attackers can exploit this oversight by downgrading critical system components via the Windows Update process, effectively disabling important security features such as Driver Signature Enforcement (DSE) and virtualization-based security (VBS).

“While administrators have legitimate high-level access, they are still subject to certain restrictions, such as DSE and VBS, which are designed to prevent unauthorized code from running at the kernel level,” said Soroko. “These features act as security boundaries intended to maintain system integrity and prevent malicious activities.”

According to the SafeBreach researchers, downgrade attacks — also known as "version-rollback attacks" — are designed to revert an immune, fully up-to-date software back to an older version. They let malicious actors expose and exploit previously fixed/patched vulnerabilities to compromise systems and gain unauthorized access. By using this downgrade ability, SafeBreach discovered CVE-2024-21302, a privilege escalation vulnerability affecting the entire Windows virtualization stack. 

SafeBreach explained how CVE-2024-38202 — the Windows Update takeover capability — still presents a significant threat to organizations by using it to revive the “ItsNotASecurityBoundary” DSE bypass. This DSE bypass lets attackers load unsigned kernel drivers, allowing them to deploy custom rootkits that can neutralize security controls, hide processes and network activity, and maintain stealth.

Jim Edwards, senior director of engineering at Keeper Security, said this recent discovery highlights the cat-and-mouse game in cybersecurity, where defenses evolve, but so do the tactics of attackers. Edwards said Microsoft has made significant strides to harden the Windows kernel, yet skilled attackers can still find ways around these protections, as we saw with the downgrade attack on Windows Update.

“By tricking the system into installing vulnerable versions of critical components, an attacker with administrator privileges can quietly bypass security while making an updated system appear fully patched,” said Edwards. “A zero-trust security model and privileged access management can help reduce these risks by enforcing strict authentication and authorization, even for administrators.”

The Microsoft spokesperson added that it’s developing a security update that will revoke outdated, unpatched VBS system files to mitigate this threat. Because of the complexity of blocking such a large quantity of files, rigorous testing is required to avoid integration failures or regressions. In parallel, Microsoft said it also released security update CVE-2024-38202 Oct. 15 to help keep customers protected. Microsoft also said  CVE-2024-21302 will continue to be updated with additional mitigation or relevant risk reduction guidance as they become available.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.