"Windows Update Flaws Allow Undetectable Downgrade Attacks"

SafeBreach Labs researcher Alon Leviev has highlighted significant gaps in Microsoft's Windows Update architecture, warning that hackers can execute software downgrade attacks and render "fully patched" meaningless on any Windows machine. In a Black Hat conference presentation, he took over the Windows Update process to craft custom downgrades on critical OS components, elevate privileges, and more. He made a fully patched Windows machine susceptible to thousands of past vulnerabilities, thus turning vulnerabilities that have been fixed into zero-days. Downgrade or version-rollback attacks turn immune, up-to-date software back to an older version with known, exploitable vulnerabilities. This article continues to discuss Leviev's demonstrated hack against Windows Update architecture that turns fixed vulnerabilities into zero-days.

SecurityWeek reports "Windows Update Flaws Allow Undetectable Downgrade Attacks"

Submitted by grigby1