LAS VEGAS — Some of Microsoft’s most important tools for protecting Windows users from malicious hackers can be twisted into being used in attacks, according to research presented Wednesday at the annual Black Hat security conference in Las Vegas.
The newly discovered method includes altering the internal registry of a Windows machine to make it seem that it has been updated through Microsoft’s regular process for issuing improvements and security fixes.
That would allow an attacker to downgrade the machine to earlier versions of Windows, making hundreds of vulnerabilities that are patched in current versions of Windows fair game once more.
The technique fools another highly touted security innovation, known as virtualization-based security, by renaming a file folder, according to Alon Leviev, a researcher for security company SafeBreach who is presenting the findings at Black Hat and at Def Con, the hacking conference that begins in Las Vegas on Friday.
Microsoft’s feature is supposed to stop any tainted core element of an operating system from working, but Leviev beat it, giving him complete control of test machines.
Microsoft said it was still working on mitigations for the attack technique, which Leviev reported to the company in February. It said it had no evidence that criminals or spies had been using the method in actual attacks, although that could change after Wednesday’s public presentation.
“We appreciate the work of SafeBreach in identifying and responsibly reporting this vulnerability,” said Microsoft spokesman Jeff Jones. “We are actively developing mitigations to protect against these risks.”
Because the security flaw is in the design of multiple Windows sub-programs, fixing it is not as simple as issuing a patch. Instead, Microsoft has to craft an update that revokes and replaces old system files. A wide variety of tests are needed to be sure the fix does not harm or crash Windows computers, Microsoft said.
Leviev said he began looking for ways to force Windows downgrades in the wake of a similar rollback attack demonstrated a year ago against Microsoft’s Secure Boot process for starting machines safely. He looked for other key programs that might be vulnerable to the same technique and found it in the update process.
He said one lesson from his work is that vendors and outside researchers should look carefully at new types of attacks to see if similar approaches would also work. In the past few years, outside researchers and some former Microsoft employees have complained that Microsoft patches only the exact vulnerabilities that friendly researchers demonstrate, instead of redesignating programs to eliminate entire classes of attacks.
Under fire for other security failings that allowed foreign spies to hijack the email accounts of top U.S. officials, Microsoft pledged this year to make security performance a part of salary reviews.
Send questions/comments to the editors.
We invite you to add your comments. We encourage a thoughtful exchange of ideas and information on this website. By joining the conversation, you are agreeing to our commenting policy and terms of use. More information is found on our FAQs. You can modify your screen name here.
Comments are managed by our staff during regular business hours Monday through Friday as well as limited hours on Saturday and Sunday. Comments held for moderation outside of those hours may take longer to approve.
Join the Conversation
Please sign into your Sun Journal account to participate in conversations below. If you do not have an account, you can register or subscribe. Questions? Please see our FAQs.