Windows Downdate allows attackers to revert Windows systems to earlier states, effectively removing previously installed security updates and exposing the systems to old vulnerabilities.
A newly designed tool named Windows Downdate, concocted by Alon Leviev from SafeBreach, permits the rolling back of Windows 10, Windows 11, and Windows Server to older software iterations, reintroducing former security flaws that were previously corrected. The device can be reversed to outdated software versions reinstating past vulnerabilities.
The issue with Downdate was initially documented earlier this month when it was first exposed to the public. Known as “Downdate”, this exploit takes advantage of the Windows update process, which depends on communication between user PCs and Microsoft servers regarding update directories and action lists.
The tool, offered as both an open-source Python script and a Windows executable on GitHub, targets various Windows components like the Hyper-V hypervisor, Windows Kernel, NTFS driver, and Filter Manager driver, resetting them to their original versions. Leviev has demonstrated the utilization of Windows Downdate to roll back patches for specific vulnerabilities such as CVE-2021-27090, CVE-2022-34709, and CVE-2023-21768.
If you have not checked it out yet, the Windows Downdate tool is available! It enables you to manipulate Windows Updates to downgrade and reveal previous vulnerabilities found in DLLs, drivers, the NT kernel, the Secure Kernel, the Hypervisor, IUM trustlets, and more!javascript:void(0);
— Alon Leviev (@_0xDeku) August 25, 2024
By exploiting vulnerabilities CVE-2024-21302 and CVE-2024-38202, the tool operates undetected by most endpoint detection and response (EDR) solutions. Despite the downgrade, the Windows Update system falsely indicates that the system is up to date. This flaw enables attackers to deactivate critical Windows virtualization-based security features such as Credential Guard and Hypervisor-Protected Code Integrity (HVCI), even under UEFI locks.
Microsoft has released security update KB5041773, acknowledging the problem by addressing CVE-2024-21302, though CVE-2024-38202 remains without a fix. Microsoft recommends several measures to prevent downgrade attacks, including setting up “Audit Object Access,” restricting update and restoration procedures, applying Access Control Lists for file access, and monitoring system privileges to identify abuse attempts.
The vulnerability, known as Windows Downdate, was showcased at Black Hat USA 2024 and DEFCON 32, highlighting its impact on system security. For using the tool, individuals need to duplicate the repository, set up via Python, and execute it with an XML configuration file that defines the target files for downgrading.
Hudson Valley Host is premier provider of cutting-edge hosting solutions, specializing in delivering a seamless online experience for businesses and individuals. We offer a comprehensive range of hosting services, including Shared Hosting, VPS, Dedicated Servers, and Colocation. With 24/7 technical support, robust security measures, and user-friendly control panels, we empower clients in managing their online presence effortlessly. Hudson Valley Host is your trusted partner in achieving online success.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@hudsonvalleyhost.com.
