"Windows core components can be installed to bypass defense systems."
There are methods to "downgrade" a fully updated Windows 11 device.
Researchers have discovered a method that allows cybercriminals to bypass Windows security features, such as Driver Signature Enforcement (DSE), making it easier for them to install rootkits on fully updated systems. A report by cybersecurity researcher Alon Leviev from SafeBreach indicates that this attack can be executed by degrading certain components of the Windows kernel.
Criminals can exploit the Windows update process to introduce outdated and vulnerable software components, causing a system to appear "fully patched" even though it is not. This method is also applicable to devices with Windows 11 that have received complete updates.
The researcher has reported this vulnerability to Microsoft; however, the company did not address the issue, considering that a "security boundary" had not been breached, as an attacker would first need administrative access. Leviev presented his demonstration at the Black Hat and DEF CON 2024 events, where he shared a tool called Windows Downdate, which allows for degradations that reopen old vulnerabilities.
Leviev reported that he was able to downgrade patched components in Windows 11, which restored the ability to bypass the DSE and enabled the use of unsigned drivers. This allowed him to install rootkits that can disable security software, hide malicious activities, among other actions.
In his attack, he replaced a key Windows file named ci.dll with an unpatched version. After making this replacement, the system requires a restart, giving the appearance of a normal update. Additionally, he also demonstrated methods for disabling or bypassing Virtualization-Based Security (VBS) by modifying specific configurations and files, further weakening the system’s protection.
Currently, Microsoft is working on a solution to block outdated system files and prevent downgrade attacks, although no release date has been established, as protecting against these vulnerabilities requires careful testing to avoid system disruptions. Meanwhile, Leviev advises organizations to be vigilant against these downgrade attacks.
