HomeWinBuzzer NewsWindows Downdate Tool Exploits System Weaknesses

Windows Downdate Tool Exploits System Weaknesses

Windows Downdate lets attackers downgrade Windows systems to earlier versions, undoing security patches and making them vulnerable again.

-

A new tool called Windows Downdate, developed by Alon Leviev from SafeBreach, enables the downgrade of Windows 10, Windows 11, and Windows Server systems, presenting significant security challenges. The tool can reverse devices to outdated software versions, reinstating vulnerabilities that had been previously resolved.

I first reported on the Downdate issue earlier this month when the issue became public. Termed “Downdate,” this exploit manipulates the update mechanism, which relies on user PC and Microsoft server communications involving update folders and action lists.

Functionality and Operation

The tool, available as both an open-source Python script and a Windows executable on GitHub, targets various Windows components such as the Hyper-V hypervisor, Windows Kernel, NTFS driver, and Filter Manager driver, reverting them to their original versions. Leviev has showcased how to use Windows Downdate to undo patches for specific vulnerabilities like CVE-2021-27090, CVE-2022-34709, and CVE-2023-21768.

By exploiting vulnerabilities CVE-2024-21302 and CVE-2024-38202, the tool operates undetected by most endpoint detection and response (EDR) solutions. Despite downgrading, the Windows Update system inaccurately indicates that the system is up to date. The flaw allows attackers to deactivate Windows virtualization-based security features such as Credential Guard and Hypervisor-Protected Code Integrity (HVCI), even when these features are protected by UEFI locks.

Microsoft’s Action Plan

Microsoft has acknowledged the issue by releasing security update KB5041773 to address CVE-2024-21302. Nevertheless, CVE-2024-38202 remains unpatched. To counteract downgrade attacks, Microsoft advises users to follow guidelines outlined in their security advisory, which include configuring “Audit Object Access” settings, limiting update and restore operations, using Access Control Lists to restrict file access, and auditing system privileges to detect exploitation attempts.

Windows Downdate was demonstrated at both Black Hat USA 2024 Briefings and DEFCON 32, stressing its ramifications on system security. To utilize the tool, users must clone the repository, install the tool via Python, and run it with a configuration XML file specifying which files to downgrade.

Last Updated on November 7, 2024 3:06 pm CET

Luke Jones
Luke Jones
Luke has been writing about Microsoft and the wider tech industry for over 10 years. With a degree in creative and professional writing, Luke looks for the interesting spin when covering AI, Windows, Xbox, and more.

Recent News

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x
Mastodon