Windows Update is designed to protect our PCs from the latest threats. However, a newly discovered exploit called Windows Downdate exposes a critical vulnerability, potentially undoing these security measures and leaving systems open to attack. This proof-of-concept tool, developed by SafeBreach researcher Alon Leviev, highlights a critical flaw in Windows Update and its potential for misuse.
While Windows Update typically installs patches to address vulnerabilities, Windows Downdate leverages a flaw to install older, less secure updates. This effectively reverses the patching process, reintroducing vulnerabilities that Microsoft had previously addressed. Leviev successfully used the tool to downgrade critical components like dynamic link libraries (DLLs), drivers, and even the core NT kernel, bypassing all verification measures. This process is both invisible and irreversible, making detection and recovery extremely difficult.
The Windows Downgrade tool.Demonstration of the Windows Downgrade Tool. (Image Credit: Alon Leviev / SafeBreach)
As Leviev explained in a SafeBreach blog post, this exploit can render a fully patched Windows machine vulnerable to thousands of past exploits, effectively turning fixed vulnerabilities into zero-day threats. The compromised system falsely reports being fully updated and even blocks future legitimate updates, while standard security scanning tools fail to detect the issue.
The vulnerability extends beyond core system components. Leviev also demonstrated the exploit’s effectiveness against the Windows virtualization stack, successfully downgrading Credential Guard’s Isolated User Mode Process, Hyper-V’s hypervisor, and Secure Kernel. Furthermore, he discovered multiple methods to disable virtualization-based security (VBS), even when UEFI locks were enforced, a feat previously thought impossible without physical access.
Example of downgraded components.Downgraded components within the Windows environment. (Image Credit: Alon Leviev / SafeBreach)
The potential implications of Windows Downdate are alarming. It could effectively undo years of security patching, stealthily exposing systems to a multitude of threats. Leviev suggests that other operating systems, including MacOS and Linux, may also be susceptible to similar exploits.
Fortunately, Leviev’s intentions were ethical. He responsibly disclosed his findings to Microsoft in February 2024. Microsoft has subsequently issued two CVEs, CVE-2024-21302 and CVE-2024-38202, and is actively working on a patch. It remains crucial that Microsoft addresses this vulnerability swiftly, before malicious actors can exploit it.
