Over the past year, Anon Leviev, a researcher at SafeBreach and a former Brazilian jiu-jitsu athlete, has made significant strides in cybersecurity with the development of a proof-of-concept tool known as Windows Downdate. This innovative tool has the capability to subtly hijack the Windows Update process, enabling what Leviev describes as an “invisible, persistent, and irreversible” downgrade of critical operating system components. The implications of this tool are profound, as it effectively reverses previous security updates, thereby exposing systems to vulnerabilities that can be exploited.
Responsible Disclosure and Ongoing Efforts
In a positive turn of events, Leviev’s intentions behind this research are rooted in a desire to enhance cybersecurity measures and protect users from potential threats. Since February 2024, Microsoft has been informed of these vulnerabilities, and two official vulnerability pages—CVE-2024-38202 and CVE-2024-21302—were launched recently to facilitate the development of necessary updates. Leviev’s findings have been disseminated through various channels, including a blog post and presentations at Black Hat USA 2024 and DEF CON 32 earlier this week.
The research highlights that critical components such as drivers, DLL files, and the NT kernel are vulnerable to these silent downgrades. Alarmingly, even the Windows Update and recovery/scanning tools are unable to detect these issues, leaving systems at risk. Furthermore, Leviev’s investigation uncovered that the entire virtualization stack is also compromised, which includes Secure Kernel, Hyper-V’s hypervisor, and the Credential Guard’s Isolated User Mode Process. This vulnerability allows for multiple avenues to disable virtualization-based security, even in scenarios where UEFI locks are in place, typically requiring physical access to bypass.
As a result, fully patched Windows 11 machines are now susceptible to “thousands of past vulnerabilities,” rendering the term “fully patched” nearly meaningless until these issues are genuinely resolved, according to Leviev. His observations extend beyond Windows, suggesting that older versions of Windows, as well as Mac and Linux operating systems, may also be vulnerable to similar attacks. This underscores the need for OS vendors to adopt a more proactive stance in addressing potential attack vectors within existing features.
Fortunately, the exploit has not been released into the wild, providing Microsoft with a crucial window to address these vulnerabilities before they can be widely exploited. Nonetheless, the persistence of the VBS exploit over nearly a decade raises significant concerns about the overall security landscape.