Trending Articles

Latest Features

Trending Topics

Windows Downdate attack shown by attackers with Windows logo cracking in the background
Thought you were safe because Windows was up to date? Think again. (Image: Copilot Designer)

Windows Downdate attack exploits Windows Update to ‘unpatch’ secure devices

The BlackHat hacker convention never fails to impress, and this year is no exception. Alon Leviev, a security researcher with SafeBreach Labs, gave a presentation in Las Vegas that demonstrated how the Windows Update process could be subverted to “craft custom downgrades on critical OS components” and effectively unlatch a secure machine. Say hello to the Windows Downdate attack.

In his presentation titled ‘Windows Downdate: Downgrade Attacks Using Windows Updates’, Leviev explained how his version-rollback attack reverts a fully patched Windows machine back to an older and therefore insecure version.

Leviev employed several vulnerabilities in the Windows Update process to build a tool he calls Windows Downdate that can “craft fully undetectable, invisible, persistent, and irreversible downgrades on critical OS components” so as to elevate privileges and bypass security features.

What Windows Downdate means to you

What does that mean in a real-world scenario? I hope you’re sitting down: “I was able to make a fully patched Windows machine susceptible to thousands of past vulnerabilities,” Leviev said, “turning fixed vulnerabilities into zero-days and making the term ‘fully patched’ meaningless on any Windows machine in the world.”

The full technical breakdown can be found here but here are the takeaways:

  • The Windows Update vector was chosen to develop the undetectable downgrade attack as it “seemed like the least-suspicious entity” for such an exploit.
  • Leviev discovered a “significant flaw” that allowed him to fully control the process.
  • The Windows Downdate tool meant he could bypass all verification steps “including integrity verification and Trusted Installer enforcement”.
  • Critical OS components such as dynamic link libraries (DLLs), drivers “and even the NT kernel” could be downgraded as a result.
  • Future updates were blocked from being installed and “recovery and scanning tools were unable to detect issues”.

And, even without physical access to the target machine, Leviev bypassed Windows virtualization-based security (VBS), “including its features such as Credential Guard and Hypervisor-Protected Code integrity (HVCI), even when enforced with UEFI locks”.

Microsoft’s response

Leviev disclosed the issues to Microsoft in February 2024, which resulted in two Windows vulnerabilities being confirmed: CVE-2024-21302 and CVE-2024-38202. According to an August 7 update from Microsoft, it is working on a fix but this is not yet available for either.

A Microsoft spokesperson said: “We are actively developing mitigations to protect against these risks while following an extensive process involving a thorough investigation, update development across all affected versions, and compatibility testing, to ensure maximised customer protection with minimized operational disruption.”

Avatar photo
Davey Winder

With four decades of experience, Davey is one of the UK's most respected cybersecurity writers and a contributing editor to PC Pro magazine. He is also a senior contributor at Forbes. You can find him at TechFinitive covering all things cybersecurity.

NEXT UP