Windows kernel components can be installed to bypass defense systems

There is a way to “downgrade” a fully updated Windows 11 device

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Experts have uncovered a method allowing cybercriminals to bypass Windows security features such as Driver Signature Enforcement (DSE), and thus installrootkitson fully updated systems.

A report from cybersecurity researcher Alon Leviev of SafeBreach claims the attack is possible by downgrading certain Windows kernel components.

By taking over the Windows Update process, crooks can add outdated, vulnerable software components, making a system seem “fully patched” even though it isn’t. Apparently, even full-patchedWindows 11devices can be targeted this way.

Rising sophistication

The researcher claims to have reported this issue toMicrosoft, but the software giant didn’t fix it, saying it didn’t break a “security boundary” since an attacker would already need administrator access.

Leviev demonstrated the issue at the Black Hat and DEF CON 2024 events, and shared a tool, Windows Downdate, which allows creating downgrades that reopen old vulnerabilities.

He claimed to have managed to downgrade patched components on Windows 11, bring back the DSE bypass and enable the use of unsigned drivers. As a result, he was able to install rootkits that can turn off security software, hide malicious activity, and more.

In his attack, Leviev replaced a key Windows file called ci.dll with an unpatched version. After replacing the file, the system needs a restart, which makes it look like a normal update. Leviev also demonstrated methods to disable or bypass Virtualization-Based Security (VBS) by modifying specific settings and files, further weakening protections on the system.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Microsoft is now working on a fix, to block outdated system files and prevent downgrade attacks, however, the release date is not yet set, as protecting against these issues apparently requires careful testing to prevent system disruptions.

Until then, Leviev advises organizations to monitor for downgrade attacks.

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A critical Palo Alto Networks bug is being hit by cyberattacks, so patch now

3 reasons why PIA fell in our best VPN rankings

Stormforce Pro Creator 0601 workstation review