LAS VEGAS — Some of Microsoft’s most important tools for protecting Windows users from malicious hackers can be twisted into being used in attacks, according to research presented here Wednesday at the annual Black Hat security conference.
The newly discovered method includes altering the internal registry of a Windows machine to make it seem that it has been updated through Microsoft’s regular process for issuing improvements and security fixes.
That would allow an attacker to downgrade the machine to earlier versions of Windows, making hundreds of vulnerabilities that are patched in current versions of Windows fair game once more.
The technique fools another highly touted security innovation, known as virtualization-based security, by renaming a file folder, according to Alon Leviev, a researcher for security company SafeBreach who is presenting the findings at Black Hat and at Def Con, the hacking conference that begins here Friday.
Microsoft’s feature is supposed to stop any tainted core element of an operating system from working, but Leviev beat it, giving him complete control of test machines.
Microsoft said it was still working on mitigations for the attack technique, which Leviev reported to the company in February. It said it had no evidence that criminals or spies had been using the method in actual attacks, although that could change after Wednesday’s public presentation.
“We appreciate the work of SafeBreach in identifying and responsibly reporting this vulnerability,” said Microsoft spokesman Jeff Jones. “We are actively developing mitigations to protect against these risks.”
Because the security flaw is in the design of multiple Windows sub-programs, fixing it is not as simple as issuing a patch. Instead, Microsoft has to craft an update that revokes and replaces old system files. A wide variety of tests are needed to be sure the fix does not harm or crash Windows computers, Microsoft said.
Leviev said he began looking for ways to force Windows downgrades in the wake of a similar rollback attack demonstrated a year ago against Microsoft’s Secure Boot process for starting machines safely. He looked for other key programs that might be vulnerable to the same technique and found it in the update process.
He said one lesson from his work is that vendors and outside researchers should look carefully at new types of attacks to see if similar approaches would also work. In the past few years, outside researchers and some former Microsoft employees have complained that Microsoft patches only the exact vulnerabilities that friendly researchers demonstrate, instead of re-designting programs to eliminate entire classes of attacks.
Under fire for other security failings that allowed foreign spies to hijack the email accounts of top U.S. officials, Microsoft pledged this year to make security performance a part of salary reviews.