Microsoft’s approach to security vulnerabilities has come under scrutiny following a recent analysis by SafeBreach researchers. Traditionally, the tech giant has operated on the premise that if an attacker possesses administrative privileges, the leap to kernel-level code execution does not breach a defined security boundary. As a result, such scenarios have not been classified as critical vulnerabilities warranting immediate action.
Concerns Over Kernel-Level Security
In a blog post dated October 26, SafeBreach raised alarms about this narrow definition, arguing that it leaves systems susceptible to the deployment of custom rootkits capable of undermining essential security controls. The researchers highlighted that while Microsoft has made notable advancements in fortifying kernel security against compromises by administrators, the ability to downgrade kernel components has inadvertently simplified the process of compromising the kernel itself.
A Microsoft spokesperson acknowledged the findings, stating, “We appreciate the work of SafeBreach in identifying and responsibly reporting this vulnerability through a coordinated vulnerability disclosure. We are actively developing mitigations to protect against these risks while following an extensive process involving a thorough investigation, update development across all affected versions, and compatibility testing, to ensure maximized customer protection with minimized operational disruption.”
Jason Soroko, a senior fellow at Sectigo, elaborated on the implications of the research, explaining how attackers could exploit this oversight by downgrading critical system components via the Windows Update process. This tactic effectively disables vital security features such as Driver Signature Enforcement (DSE) and virtualization-based security (VBS).
“While administrators have legitimate high-level access, they are still subject to certain restrictions, such as DSE and VBS, which are designed to prevent unauthorized code from running at the kernel level,” Soroko noted. “These features act as security boundaries intended to maintain system integrity and prevent malicious activities.”
Understanding Downgrade Attacks
According to SafeBreach, downgrade attacks—also referred to as “version-rollback attacks”—are engineered to revert fully updated software to older versions. This allows malicious actors to exploit previously patched vulnerabilities, thereby gaining unauthorized access to systems. Through this mechanism, SafeBreach identified CVE-2024-21302, a privilege escalation vulnerability impacting the entire Windows virtualization stack.
Furthermore, SafeBreach explained that CVE-2024-38202, which pertains to the Windows Update takeover capability, continues to pose a significant threat. This vulnerability can be leveraged to revive the “ItsNotASecurityBoundary” DSE bypass, enabling attackers to load unsigned kernel drivers. Such actions facilitate the deployment of custom rootkits that can neutralize security controls, obscure processes, and mask network activity.
Jim Edwards, senior director of engineering at Keeper Security, emphasized the ongoing battle in cybersecurity, where defenses are constantly evolving alongside the tactics employed by attackers. “Microsoft has made significant strides to harden the Windows kernel, yet skilled attackers can still find ways around these protections, as we saw with the downgrade attack on Windows Update,” he remarked.
Edwards further explained, “By tricking the system into installing vulnerable versions of critical components, an attacker with administrator privileges can quietly bypass security while making an updated system appear fully patched. A zero-trust security model and privileged access management can help reduce these risks by enforcing strict authentication and authorization, even for administrators.”
In response to these vulnerabilities, the Microsoft spokesperson confirmed that the company is in the process of developing a security update aimed at revoking outdated, unpatched VBS system files to mitigate this threat. Given the complexity involved in blocking a substantial number of files, rigorous testing is essential to prevent integration failures or regressions. Concurrently, Microsoft has released security update CVE-2024-38202 on October 15 to bolster customer protection, with ongoing updates planned for CVE-2024-21302 as further mitigation strategies become available.
