Person sitting and using an HP computer with Windows 11.Keeping your Windows PC secure relies heavily on regular security patches. However, a new type of attack, known as a “downgrade attack,” bypasses these crucial updates, exposing systems to previously patched vulnerabilities. Security researcher Alon Leviev has developed a proof-of-concept tool highlighting the severity of this threat.
Leviev, from SafeBreach, introduced the “Windows Downdate” tool in a recent blog post. This tool demonstrates how attackers can create persistent and irreversible downgrades on Windows 10, 11, and Windows Server systems. These attacks effectively roll back software versions to older, vulnerable states, allowing malicious actors to exploit previously fixed flaws.
The Windows Downdate tool can expose vulnerabilities in various system components, including drivers, DLLs, the Secure Kernel, the NT Kernel, and even the Hypervisor. Leviev’s public announcement on X (formerly Twitter) further detailed the tool’s capabilities, showcasing examples of reverting patches for specific CVEs (CVE-2021-27090, CVE-2022-34709, CVE-2023-21768, and PPLFault), along with demonstrations of downgrading the hypervisor and kernel, and bypassing VBS’s UEFI locks.
A significant concern is the undetectable nature of these downgrade attacks. Traditional endpoint detection and response (EDR) solutions often fail to identify them, and the Windows system itself may continue to report being up-to-date. Leviev’s research also revealed methods to disable Windows virtualization-based security (VBS) features, including Hypervisor-Protected Code Integrity (HVCI) and Credential Guard.
Microsoft has already addressed some of these vulnerabilities with the security update KB5041773, released on August 7th. This update patched the Windows Secure Kernel Mode privilege escalation flaw (CVE-2024-21302) and another vulnerability (CVE-2024-38202). Microsoft also provided recommendations for enhancing security, such as configuring “Audit Object Access” settings to monitor file access attempts. However, the emergence of the Windows Downdate tool underscores the ongoing need for vigilance in cybersecurity.
Fortunately, the Windows Downgate tool was developed as a proof-of-concept by a “white-hat” hacker, aiming to uncover vulnerabilities before malicious actors can exploit them. Leviev responsibly disclosed his findings to Microsoft in February 2024, providing them with valuable time to develop appropriate mitigations. This proactive approach provides some reassurance, although it also highlights the potential for serious security breaches if these vulnerabilities were to be exploited by malicious actors.
While the immediate threat is mitigated, the development of the Windows Downgrade tool serves as a crucial reminder of the constant evolution of cybersecurity threats and the importance of proactive security measures. It emphasizes the need for ongoing research and development in security technologies and the critical role of responsible disclosure in mitigating potential risks.
