Windows Downdate Attacks – What You Need to Know
Downgrade attacks, also referred to as version-rollback attacks, are designed to revert fully updated software to older versions. This tactic allows malicious actors to exploit previously patched vulnerabilities, thereby compromising systems and gaining unauthorized access.
The latest findings, presented by SafeBreach Labs researcher Alon Leviev at Black Hat USA 2024 and DEF CON 32, delve into the state of downgrade attacks on Windows. Leviev's research led to the development of Windows Downdate, a tool capable of commandeering the Windows Update process, enabling attackers to execute undetectable and irreversible downgrades on critical operating system components. This alarming revelation underscores how a determined attacker can render a fully patched Windows machine vulnerable to thousands of past exploits, effectively nullifying the concept of being "fully patched."
These vulnerabilities were disclosed to Microsoft in February 2024, resulting in the issuance of two CVEs: CVE-2024-21302 and CVE-2024-38202. Microsoft has since provided additional security guidance through their Security Update Guide ADV24216903. For further inquiries, stakeholders are encouraged to reach out to the Microsoft communications team directly at communications@microsoft.com.
Quick Share Vulnerability Exploit – What You Need to Know
Google’s Quick Share, a peer-to-peer data transfer utility for Android, Windows, and Chrome, utilizes various communication protocols to facilitate file sharing between nearby devices. Recent research by SafeBreach Labs, presented at DEF CON 32, sought to uncover potential vulnerabilities within this relatively new file-sharing solution.
This investigation identified ten unique vulnerabilities, some of which could be combined into an innovative remote code execution (RCE) attack chain against Quick Share for Windows. The findings emphasize that even seemingly minor features can be exploited by motivated attackers to orchestrate advanced attacks.
The vulnerabilities were disclosed to Google in January 2024, leading to the issuance of two CVEs: CVE-2024-38271 and CVE-2024-38272. The identified vulnerabilities include:
- Remote Unauthorized File Write in Quick Share for Windows
- Remote Unauthorized File Write in Quick Share for Android
- Remote Forced WiFi Connection in Quick Share for Windows
- Remote Directory Traversal in Quick Share for Windows
- Remote DoS in Quick Share for Windows – Endless Loop
- Remote DoS in Quick Share for Windows – Assert Failure
- Remote DoS in Quick Share for Windows – Unhandled Exception
SafeBreach Coverage of Windows Downdate Attacks and Quick Share Vulnerabilities
SafeBreach has incorporated individual attacks related to the identified vulnerabilities into its Hacker’s Playbook, allowing organizations to validate their security controls:
- Downdate attacks – Two attacks that enable an attacker to potentially take over the Windows Update process and downgrade Windows to a vulnerable version:
- #10341 – Windows Downdate – Windows update takeover
- #10342 – Windows Downdate – TrustedInstaller elevation
- Quick Share attacks – Attacks that allow an attacker to force a victim to download any file of their choice on a vulnerable QuickShare version:
- #10334
