A researcher from SafeBreach Labs uncovered a new attack technique that could compromise the security of fully patched Windows 11 systems.
The attack was reported in August 2024 at Black Hat USA 2024 and DEFCON 32. Dubbed as Windows Downdate, Researcher Alon Leviev delved into the details of the attack operandi, which involves manipulating the Windows Update process to downgrade critical system components, effectively making the system vulnerable to older weakness.
The vulnerability is named as “ItsNotASecurityBoundary” Driver Signature Enforcement (DSE) bypass, which allows attackers to load unsigned kernel drivers that allows attackers to replace a verified security catalog with a malicious version, enabling the loading of unsigned kernel drivers.
By leveraging Windows Downdate, attackers can target specific components, such as the “ci.dll” module essential for parsing security catalogues, and downgrade them to a vulnerable state, enabling the exploitation of this bypass and gaining kernel-level privileges.
The “ItsNotASecurityBoundary” DSE bypass belongs to a new class of flaws known as False File Immutability (FFI). This class exploits incorrect assumptions about file immutability — specifically, that blocking write access sharing makes a file immutable. These double-read conditions inherently lead to a Time-of-Check to Time-of-Use (TOCTOU) race condition.
It is identified that in many ways, VBS key features can be disabled and not limited to Credential Guard and Hypervisor-Protected Code integrity (HVCI), even with UEFI locks for the first time.
To exploit a system without UEFI lock, an attacker must disable VBS by modifying registry settings. Once disabled, they can downgrade the ci.dll module to a vulnerable version and exploit the “ItsNotASecurityBoundary” vulnerability.
For systems with UEFI lock, the attacker must invalidate the SecureKernel.exe file to bypass VBS protection. However, VBS with UEFI Lock and “Mandatory” Flag” was the secure configuration, preventing VBS from being disabled even if the lock is bypassed. But at present, the attacker needs physical access to the system to exploit.
This Windows Update takeover capability poses a major threat to organizations by allowing attackers to load unsigned kernel drivers, enable custom rootkits to neutralize security controls, hide processes, and maintain stealth.
Mitigations
- Kee the systems up-to-date with all the latest patches
- Deploy robust endpoint detection and response (EDR) solutions to detect and respond to malicious activity.
- Implement strong network security measures to prevent unauthorized access and data breaches.
- Enable VBS with UEFI lock and the “Mandatory” flag can provide additional protection against attacks.
SafeBreach disclosed the vulnerability to Microsoft in February 2024. Microsoft issued two CVEs—CVE-2024-21302 and CVE-2024-38202—and provided additional guidance via Security Update Guide ADV24216903.
For more information, refer to the blog
