In August of 2024, SafeBreach labs security researcher Alon Leviev discovered Windows Downdate, which was first presented at Black Hat USA 2024 and DEF CON 32 (2024), where he developed a tool to take over the Windows Update process to craft custom downgrades on critical OS components to expose previously fixed vulnerabilities. Using this downgrade ability, he discovered CVE-2024-21302, a privilege escalation vulnerability affecting the entire Windows virtualization stack.
While CVE-2024-21302 was patched because it crossed a defined security boundary, the Windows Update takeover, which was also reported to Microsoft, has remained unpatched because it did not cross a defined security boundary. Alon’s follow-up research exposes a severe flaw in Windows Update that allows the reactivation of the “ItsNotASecurityBoundary” Driver Signature Enforcement (DSE) bypass, permitting the loading of unsigned kernel drivers. This can be exploited to deploy custom rootkits, disable security features, and compromise system integrity.
You can read more here.
New Research: Exploiting Windows Downdate to Revive Critical Kernel Vulnerabilities
Posted in Commentary with tags SafeBreach on October 26, 2024 by itnerdIn August of 2024, SafeBreach labs security researcher Alon Leviev discovered Windows Downdate, which was first presented at Black Hat USA 2024 and DEF CON 32 (2024), where he developed a tool to take over the Windows Update process to craft custom downgrades on critical OS components to expose previously fixed vulnerabilities. Using this downgrade ability, he discovered CVE-2024-21302, a privilege escalation vulnerability affecting the entire Windows virtualization stack.
While CVE-2024-21302 was patched because it crossed a defined security boundary, the Windows Update takeover, which was also reported to Microsoft, has remained unpatched because it did not cross a defined security boundary. Alon’s follow-up research exposes a severe flaw in Windows Update that allows the reactivation of the “ItsNotASecurityBoundary” Driver Signature Enforcement (DSE) bypass, permitting the loading of unsigned kernel drivers. This can be exploited to deploy custom rootkits, disable security features, and compromise system integrity.
You can read more here.
Leave a comment »