New Video from @BlackHatOfficialYT: Researcher Alon Discusses Downgrade Attacks on Windows

In this video, Alon, a security researcher at SafeBre, shares his research journey on downgrade attacks on Windows and their serious implications for the platform's security. Alon, a 22-year-old self-taught expert, focuses on operating system internals, reverse engineering, and vulnerability research. Before venturing into security, he was a Brazilian jiu-jitsu athlete, winning several world and European titles. Alon begins by explaining what a downgrade attack is: it involves downgrading an up-to-date and secure software to an older, vulnerable version. This action allows an attacker to exploit vulnerabilities in the updated software. His research started with studying the Black Lotus bootkits, which gained attention by bypassing Secure Boot on a fully updated Windows 11. Black Lotus did not exploit a new zero-day vulnerability but rather exploited a known and patched vulnerability using a downgrade attack. To better understand how Black Lotus bypassed Secure Boot, Alon explains that Secure Boot is a security feature that verifies that each component in the boot chain is digitally signed. Black Lotus downgraded the Windows boot manager to a signed but vulnerable version, allowing it to exploit a vulnerability in this manager to bypass Secure Boot. Microsoft attempted to mitigate these attacks by revoking vulnerable boot managers, but Alon wonders if other components could be vulnerable to downgrade attacks. The goal of Alon's research was to assess the state of downgrade attacks on Windows and discover if other components besides Secure Boot could have been overlooked. He decided to target not only third-party drivers but also first-party entities, including those residing at a level lower than the kernel itself. To do this, he defined the criteria for a perfect downgrade attack: it must be undetectable, invisible, persistent, and irreversible. Alon then examined the architecture of Windows updates and discovered a design flaw: the administrator is not considered a security boundary relative to the Trusted Installer. Although elevations of privileges from administrator to Trusted Installer are blocked by EDR (Endpoint Detection and Response), Alon found a flaw in the update process that allows bypassing these protections. By modifying a specific registry key, he was able to control all update actions, making the Windows update process entirely compromised. To demonstrate his findings, Alon presented several demonstrations. The first shows how to downgrade a kernel driver named afd.sys to an old and vulnerable version using the Windows update mechanism, and then how to exploit this vulnerability to achieve code execution at the kernel level. The second demonstration combines all acquired capabilities to bypass Windows' advanced security protections, such as Process Protection (PPL), Credential Guard, and Windows Defender. Alon also explored the implications of his findings on the security of Windows' virtualization-based security (VBS). VBS is a secure and isolated virtual environment introduced to protect critical security features and store secret keys, assuming the kernel is compromised. Alon discovered that VBS could be disabled by replacing the secure kernel or hypervisor with invalid files, thereby bypassing UEFI protections. Finally, Alon discussed the implications of his research and the next steps. He emphasized the importance of secure design and thorough examination of real attacks. He also thanked Microsoft for their cooperation and efforts to address the identified issues. Alon concluded by encouraging the cybersecurity community to further explore downgrade attacks and ensure that other operating systems, such as macOS or Linux, are not also vulnerable. To learn more, watch the full video: https://www.youtube.com/watch?v=SI5_COohUlM