LAS VEGAS—If a powerful program has infiltrated your Windows operating system and made substantial changes to its functionality, including changes to security, you might consider it a dangerous attack on system integrity. But when that powerful program is Windows Update, that’s fine. Every month, sometimes more often, Windows Update does its thing. Alon Leviev, security researcher at SafeBreach, examined the process for ways malware coders can misuse it. At the Black Hat conference here, he revealed multiple techniques that force Windows Update to lower system security.
Inspired by Black Lotus Attack
Leviev led with his inspiration – the demotion attack called Black Lotus, which managed to defeat the protected Secure Boot system that is the core of Windows 11 security. With Secure Boot, five different Windows components participate, each verifying the other. Black Lotus worked by replacing one of those components with an earlier vulnerable version. And Microsoft prevented it by banning old, deprecated components from the process.
“Are there any other components that might be vulnerable to reduction attacks?” thought Leviev. “My quest was to find out.”
What makes a complete and perfect landing attack? Leviev divided it into four criteria: it must be undetectable, invisible, persistent and irreversible. Undetectable is self-explanatory, as the built-in security would avoid any open attack. Likewise, it must be invisible to active protection. There’s no point in forcing a downgrade if a regular Windows update is going to undo your work, so it should be ongoing. For that matter, why not make it impossible to strike back?
The weakest link
At first glance, Windows Update looks well protected. Your computer submits a folder of files for updating, but after that, a hardened trusted installer owns the show. It performs upgrades, catalogs what it has done, digitally signs its activities, and gets everything ready to install the upgraded files in the next update.
Leviev noted several dead ends that did not play out. Not until he looked at the list of actions to be performed during that reboot. “Maybe I can compromise the action list? Where does it save its state between reboots?” he asked.
Indeed, this turned out to be the weak link. By checking the action list, he can make changes to the system with the full power of Windows Update. To prevent the changes from being rolled back, he compromised the component that parses the action list. He adjusted the System Integrity Checker so that it would not mark his changes as illegal. When the full attack was complete, it could degrade any part of Windows to an exploitable version. “This makes the term ‘fully patched’ meaningless on every Windows machine worldwide,” Leviev concluded.
Recommended by our Editors
Applause worthy
The presentation did not end there. Leviev went on to display more mysterious abilities given by his landing attack, up to and including compromising the Windows kernel and Hypervisor system. With all the pieces in place, he performed a live demo that began with a secure installation of Windows 11 and continued with disabling Credential Guard and replacing other important components, resulting in the ability to read all passwords of system and other secrets. The audience did not applaud enthusiastically.
As far as I can tell, this attack remains valid. You’re not likely to see the effects on your computer, but it can power a nasty targeted attack. Perhaps at the next Black Hat conference, we will enjoy a presentation from Microsoft designers on how they hardened Windows against this update attack.
Like what you’re reading?
Register Per Security Watch newsletter for our best privacy and security stories delivered straight to your inbox.
This newsletter may contain advertisements, deals or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You can unsubscribe from newsletters at any time.