Understanding Windows Downdate
At the recent Black Hat 2024 conference, SafeBreach researcher Anon Leviev unveiled a concerning new tool capable of silently reversing security patches on systems running Windows 10, Windows 11, and Windows Server. This innovative yet alarming development, termed Windows Downdate, allows threat actors to execute downgrade attacks, effectively reintroducing previously patched vulnerabilities.
Leviev has made this tool available as an open-source Python program, along with a pre-compiled executable for Windows. With Windows Downdate, users can bypass certain elements of Windows Update to create custom downgrade packages. This functionality not only exposes older security vulnerabilities but also enables users to compromise systems as if they had never received critical updates.
The tool specifically targets vulnerabilities such as CVE-2024-21302 and CVE-2024-38202. Its operation is particularly insidious, as endpoint detection and response (EDR) solutions are unable to detect or block its actions. Moreover, Windows Update continues to report that the system is fully updated, despite the fact that it has been effectively downgraded.
Leviev provided practical examples of how the tool can be utilized, demonstrating the ability to revert the Hyper-V hypervisor to a version from two years ago. The instructions also detail how to downgrade the Windows Kernel, the NTFS driver, and the Filter Manager driver back to their original states. Additionally, the guide includes steps for downgrading other Windows components and previously applied security patches.
Call to Action for Cybersecurity Community
In a call to action, Leviev encouraged the cybersecurity community to leverage Windows Downdate for further research and to uncover additional vulnerabilities. He posed a question to his peers: “Do you have in mind any additional Windows components that may be vulnerable to downgrades?”
In response to these developments, Microsoft released a security update on August 7 to address the CVE-2024-21302 vulnerability, which pertains to a privilege escalation flaw in Windows Secure Kernel Mode. However, a patch for CVE-2024-38202, which involves a Windows Update Stack elevation of privilege vulnerability, has yet to be issued.
Until a security update for CVE-2024-38202 is available, Microsoft has advised users to adhere to recommendations outlined in a recent security advisory. These guidelines include:
- Configuring “Audit Object Access” settings to monitor file access attempts
- Restricting update and restore operations
- Employing Access Control Lists to limit file access
- Conducting regular audits to identify any attempts to exploit the vulnerability
As the cybersecurity landscape continues to evolve, tools like Windows Downdate underscore the importance of vigilance and proactive measures in safeguarding systems against emerging threats.