A newly discovered attack technique allows hackers to bypass Microsoft’s Driver Signature Enforcement (DSE), potentially exposing fully updated Windows systems to serious threats. The method leverages OS downgrade attacks to install unsigned kernel drivers, a development that could lead to the creation of stealthy rootkits capable of evading security controls.
A New Threat Beyond BYOVD Attacks
This emerging exploit offers attackers a powerful alternative to the common Bring Your Own Vulnerable Driver (BYOVD) technique. Rather than relying on outdated third-party drivers, attackers can now downgrade critical system components, including the Windows kernel itself, using a custom tool called Windows Downdate.
According to SafeBreach researcher Alon Leviev, the vulnerability allows attackers to hijack the Windows Update process and perform persistent, irreversible downgrades. These downgrades expose modern systems to previously patched vulnerabilities, opening the door for sophisticated malware deployment.
The discovery builds on two earlier privilege escalation vulnerabilities in the Windows update mechanism:
CVE-2024-21302
CVE-2024-38202
Microsoft addressed these issues in Patch Tuesday updates on August 13 and October 8, 2024. However, this latest attack demonstrates that even fully patched systems remain vulnerable when attackers exploit weaknesses in the update process to downgrade OS components.
Exploiting the ‘ItsNotASecurityBoundary’ Flaw
At the heart of the attack lies a bypass technique targeting Microsoft’s DSE protections. This bypass relies on downgrading a key security patch related to the ItsNotASecurityBoundary vulnerability, initially documented by Elastic Security Labs researcher Gabriel Landau in July 2024.
The exploit leverages a race condition to replace a verified security catalog with a malicious one. Once replaced, the system loads an unsigned kernel driver, granting attackers the ability to execute arbitrary code at the kernel level. Microsoft previously attempted to fix this vulnerability by updating the kernel integrity library (ci.dll), but the downgrade attack rolls back this library to a vulnerable version—specifically 10.0.22621.1376—undoing the patch.
How the Attack Works
The steps involved in this exploit highlight the sophistication of the attack:
- Disable Virtualization-Based Security (VBS) by modifying Windows Registry keys or corrupting SecureKernel.exe.
- Replace ci.dll with an older, vulnerable version.
- Reboot the system to apply the downgrade.
- Leverage the DSE bypass to load unsigned drivers and execute malicious code at the kernel level.
If VBS is enabled with a Unified Extensible Firmware Interface (UEFI) Lock and a Mandatory flag, the exploit becomes much more difficult. In this mode, any corruption of core virtualization modules prevents the OS from booting, blocking the attacker’s downgrade attempts. However, VBS configurations without UEFI lock are vulnerable, allowing attackers to tamper with the security settings and disable protections.
Why VBS Isn’t Always a Silver Bullet
While Virtualization-Based Security (VBS) offers an additional layer of protection by delegating code integrity checks to the skci.dll library, many systems run VBS with default settings that lack a UEFI lock. This makes them susceptible to registry tampering, enabling attackers to disable VBS before downgrading the system files.
Even when UEFI lock is enabled, an attacker could still disable VBS by introducing corrupted system files. Only systems configured with the Mandatory mode—which halts boot processes upon virtualization failures—are fully protected. This, however, requires a manual registry configuration that many administrators overlook.
Implications for Security
This attack represents a significant evolution in OS exploitation tactics, as it bypasses key defenses without relying on external drivers. The ability to downgrade Microsoft’s first-party components not only circumvents modern security controls but also opens the door for the installation of persistent rootkits, allowing attackers to:
Conceal processes and network activity.
Disable or manipulate security tools.
Achieve long-term, stealthy persistence.
Leviev emphasizes that defenders must detect downgrade attempts proactively, even for components not traditionally seen as crossing security boundaries. “The lesson here is that no security mechanism can be considered invincible,” Leviev explained. “Security solutions must monitor system updates and prevent rollback attempts to avoid reintroducing old vulnerabilities.”
Mitigation Strategies
Microsoft’s Mandatory VBS mode with UEFI lock provides the most effective protection against this downgrade attack. To mitigate the risk:
Enable VBS with a UEFI lock and ensure the Mandatory flag is set.
Monitor Windows updates for signs of tampering and unauthorized downgrades.
Harden registry permissions to prevent attackers from disabling virtualization security.
Use endpoint detection solutions that can flag suspicious system reboots or rollback attempts.
Organizations should also keep a close watch on Patch Tuesday updates, ensuring that critical vulnerabilities remain patched and systems are not quietly downgraded by threat actors.
Conclusion
The ability to exploit Windows update mechanisms and bypass DSE through OS downgrades underscores the evolving sophistication of kernel-level attacks. With attackers shifting from BYOVD strategies to first-party downgrades, defenders must adapt their strategies to detect and prevent rollback attempts. Ensuring VBS is properly configured and continuously monitoring update integrity are essential steps in staying ahead of these threats.
As this new attack vector gains attention, organizations need to adopt a proactive approach, treating system updates not just as a defense mechanism but also as a potential attack surface.