Security patches for Windows are essential for keeping your PC safe from developing threats. But downgrade attacks are a way of sidestepping Microsoft’s patches, and a security researcher set out to show just how fatal these can be.
SafeBreach security researcher Alon Leviev mentioned in a company blog post that they’d created something called the Windows Downdate tool as a proof-of concept. The tool crafts persistent and irreversible downgrades on Windows Server systems and Windows 10 and 11 components.
Leviev explains that his tool (and similar threats) performs a version-rollback attack, “designed to revert an immune, fully up-to-date software back to an older version. They allow malicious actors to expose and exploit previously fixed/patched vulnerabilities to compromise systems and gain unauthorized access.”
He also mentions that you can use the tool to expose the PC to older vulnerabilities sourced in drivers, DLLs, Secure Kernel, NT Kernel, the Hypervisor, and more. Leviev went on to post the following on X (formerly Twitter): “Other than custom downgrades, Windows Downdate provides easy to use usage examples of reverting patches for CVE-2021-27090, CVE-2022-34709, CVE-2023-21768 and PPLFault, as well as examples for downgrading the hypervisor, the kernel, and bypassing VBS’s UEFI locks.”
If you have not checked it out yet, Windows Downdate tool is live! You can use it to take over Windows Updates to downgrade and expose past vulnerabilities sourced in DLLs, drivers, the NT kernel, the Secure Kernel, the Hypervisor, IUM trustlets and more!https://t.co/59DRIvq6PZ
— Alon Leviev (@_0xDeku) August 25, 2024
What’s also concerning is that the tool is undetectable because it can’t be blocked by endpoint detection and response (EDR) solutions, and your Windows computer will continue to tell you it’s up to date even though it’s not. He also uncovered various ways to turn off Windows virtualization-based security (VBS), including Hypervisor-Protected Code integrity (HVCI) and Credential Guard.
Microsoft released a security update (KB5041773) on August 7 to fix the CVE-2024-21302 Windows Secure Kernel Mode privilege escalation flaw and a patch for CVE-2024-38202. Microsoft has also released some tips Windows users can take to stay safe, such as configuring “Audit Object Access” settings to scan for file access attempts. The release of this new tool shows how exposed PCs are to all sorts of attacks and how you should never let your guard down when it comes to cybersecurity.
The good news is that we can rest easy for now since the tool was created as a proof-of-concept, an example of “white-hat hacking” to discover vulnerabilities before threat actors do. Also, Leviev handed over his findings to Microsoft in February 2024, and hopefully, the software giant will have the necessary fixes soon.
