New Windows Downgrade Flaw Lets Attackers Bypass Security and Install Rootkits

A newly uncovered vulnerability in Windows allows attackers to bypass Driver Signature Enforcement (DSE) by downgrading Windows kernel components, enabling them to deploy rootkits on fully updated systems. By manipulating the Windows Update process, attackers can introduce outdated, vulnerable components without changing the system’s "fully patched" status. Security researcher Alon Leviev discovered this flaw, which allows attackers with administrative privileges to bypass DSE protections by replacing essential security files, such as "ci.dll," with unpatched versions that ignore signature checks. This rollback attack, demonstrated by Leviev at BlackHat and DEFCON, shows how attackers can use this method to load unsigned drivers and hide malicious activity. Leviev also published a tool called Windows Downdate, which allows users to simulate these downgrades, exposing supposedly secure systems to known vulnerabilities. This exploit, dubbed "ItsNotASecurityBoundary," relies on a new vulnerability class related to file immutability flaws, initially identified by researcher Gabriel Landau. Further, Leviev demonstrated how attackers can disable Windows’ Virtualization-Based Security (VBS) to protect sensitive resources, showing that security layers like UEFI and registry keys can still be bypassed without full configuration. Microsoft has acknowledged the risks and is developing a fix, though no release date is set. For now, experts recommend that security solutions monitor for downgrade attacks as they remain a significant security threat. Read more...