Black Hat , Events , Governance & Risk Management

How to Mitigate Downgrade Attacks Against Windows Systems

SafeBreach's Alon Leviev on How Organizations Can Reduce the Likelihood of Exploits
Alon Leviev, security researcher, SafeBreach

Operating system downgrade attacks expose organizations to significant risk by helping attackers exploit vulnerabilities in older versions of Windows software, according to SafeBreach security researcher Alon Leviev.

See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware

Windows allows for downgrades of components such as boot managers. That allows attackers to exploit previously patched vulnerabilities, undermining system integrity. Although Microsoft has rolled out mitigations, Leviev recommends that organizations monitor trusted installer actions and consider implementing versioning checks to prevent unauthorized downgrades (see: Undetectable Backdoor Disguises as Windows Update).

"The fact that you can revert to an old and vulnerable version of the software and then exploit old vulnerabilities which seem to have been fixed in the core machine that you're running on was very fascinating to me," Leviev said.

In this video interview with Information Security Media Group at Black Hat 2024, Leviev also discussed:

  • The mechanics of downgrade attacks and their implications for Windows defenders;
  • How attackers manipulate Windows Update processes to downgrade critical components;
  • The importance of securing Windows design flaws and monitoring the update process.

Leviev is a self-taught security researcher with a diverse background. He started his professional career as a blue team operator, focusing on the defensive side of cybersecurity. His main focus includes operating system internals, reverse engineering and vulnerability research. Before entering cyber, he was a professional jiujitsu athlete in Brazil and won several world and European titles.


About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.