At the 2024 Black Hat USA Conference, SafeBreach researcher Alon Leviev presented an attack that manipulates an action list XML file to push a “Windows Downdate” tool that bypasses all Windows verification steps and the Trusted Installer. The tool can also manipulate Windows to confirm that the system is fully updated.

The Windows Update Process was compromised before. Released in 2023, the BlackLotus UEFI Bootkit includes downgrade capabilities that utilize vulnerabilities in the Windows Update architecture. Similar to the method Leviev showcased, the BlackLotus Bootkit downgrades various system components to bypass the VBS UEFI locks. A threat actor can then use privilege escalation “zero-day” attacks on a previously up-to-date system. In a blog post on SafeBreach, Leviev stated “ I discovered multiple ways to disable Windows virtualization-based security (VBS), including its features such as Credential Guard and Hypervisor-Protected Code integrity (HVCI), even when enforced with UEFI locks. To my knowledge, this is the first time VBS’s UEFI locks have been bypassed without physical access.”

Leviev informed Microsoft of the vulnerabilities in February of this year. However, Microsoft is still developing a security update to revoke outdated and unpatched VBS systems. Microsoft also plans to release a guide to “provide customers with mitigations or relevant risk reduction guidance as they become available.” Guidance is necessary since, according to Leviev, these attacks are undetectable and invisible. To learn more or to see exploit in action, please visit the resources below.