Vulnerabilities

๐Ÿšจ Windows Kernel Downgrade Vulnerability Exploit ๐Ÿšจ

photo of ๐Ÿšจ Windows Kernel Downgrade Vulnerability Exploit ๐Ÿšจ


Security researcher Alon Leviev from SafeBreach demonstrated a method to bypass Windows security features by downgrading critical system components like Driver Signature Enforcement (DSE). This exploit could allow attackers to load unauthorized drivers, potentially deploying rootkits on even fully patched Windows systems. The technique involves manipulating the Windows Update process to install outdated, vulnerable software components, which the operating system then treats as fully patched.


โŸถCVSS Scores: The vulnerabilities exploited in this downgrade attack are ๐‚๐•๐„-๐Ÿ๐ŸŽ๐Ÿ๐Ÿ’-๐Ÿ‘๐Ÿ–๐Ÿ๐ŸŽ๐Ÿ (๐‚๐•๐’๐’ ๐Ÿ•.๐Ÿ‘) and ๐‚๐•๐„-๐Ÿ๐ŸŽ๐Ÿ๐Ÿ’-๐Ÿ๐Ÿ๐Ÿ‘๐ŸŽ๐Ÿ (๐‚๐•๐’๐’ ๐Ÿ”.๐Ÿ•). These scores reflect significant security impacts, given the risks associated with privilege escalation and system compromise.


โŸถ Research and Tool Release: Levievโ€™s tool, ๐‘Š๐‘–๐‘›๐‘‘๐‘œ๐‘ค๐‘  ๐ท๐‘œ๐‘ค๐‘›๐‘‘๐‘Ž๐‘ก๐‘’, enables attackers to create custom downgrade configurations, exposing up-to-date systems to vulnerabilities that have been previously patched, specifically targeting components like ๐œ๐ข.๐๐ฅ๐ฅ. This manipulation effectively undoes critical updates, exploiting weak spots in Windowsโ€™ integrity checks and making the โ€œfully patchedโ€ status misleading.


โŸถBypassing VBS: Virtualization-based Security (VBS), a core Windows security feature, can also be weakened through this downgrade attack. With modified registry keys and partial VBS configurations, attackers can downgrade essential files, like ๐œ๐ข.๐๐ฅ๐ฅ, bypassing the secure kernel integrity check. As well as replacing one of the VBS files, such as ๐’๐ž๐œ๐ฎ๐ซ๐ž๐Š๐ž๐ซ๐ง๐ž๐ฅ.๐ž๐ฑ๐ž, with invalid files, preventing VBS from loading.


โŸถMicrosoftโ€™s Response: Although Microsoft has acknowledged the risks associated with these downgrade tactics, it hasnโ€™t classified the vulnerability as crossing a security boundary( because this exploit requires administrator privileges), meaning it is not yet fully patched. Microsoft states that it is working on a comprehensive fix, which will involve revoking certain unpatched files across affected systems, though a release date for this update is not yet confirmed.