Conventional wisdom says that updating your computer when new patches are available will protect you from online threats. That's why Microsoft has become so militant about it. Force Windows OS UpdatesHowever, some attacks seek to force a system to downgrade to a more vulnerable version, and security firm SafeBreach Labs has discovered such an attack targeting Windows. Researcher Alon Leviev says his “Windows Downdate” attack can make Windows vulnerable to thousands of previous zero-day exploits.
Leviev says he first tested Windows Downdate in February 2024 and found that it could crash Windows Update mechanisms to roll back previously installed updates. The issue was reported to Microsoft through the responsible disclosure process established in February 2024. Leviev has now published the vulnerability, but Microsoft is dragging its feet on delivering the promised fix. The flaw affects Windows 10, Windows 11, and Windows Server.
The attack described by Leviev relies on two new zero-day exploits, tracked as CVE-2024-38202 and CVE-2024-21302. The 38202 flaw is a Windows Backup privilege escalation, allowing the threat actor to “unpatch” old bugs using basic user privileges. With administrator rights, the 21302 vulnerability allows the attacker to replace Windows system files with vulnerable versions.
Using these exploits, the researcher realized that an attacker could downgrade numerous vital system files, including dynamic link libraries (DLLs) and the NT kernel. He was even able to bypass Windows Virtualization-Based Security (VBS), regardless of whether the feature was blocked via UEFI or not. That's a bad situation, especially for enterprise environments.
Credit: Microsoft
Importantly, even after modifying these components to make the operating system vulnerable to years-old flaws, Windows Update would report that the system is fully patched and up-to-date. The attack is undetectable even with enterprise-grade systems. Endpoint Detection and Response Systems (EDR).
Microsoft says it is actively working to implement a fix for Windows Downdate. However, the company says Bleeping Computer says the situation is complicated. The flaw affects multiple versions of Windows and countless system files. Microsoft wants to thoroughly test the fixes on all versions to make sure it can protect users without creating new problems. There is no word on when the update will be available. If you're interested in the technical details, SafeBreach has a long explanation.
