Ensuring the security of your Windows PC involves applying essential security patches to protect it from evolving threats. However, security researcher Alon Leviev demonstrated the potential dangers of downgrade attacks aimed at circumventing Microsoft’s patches.
In a blog post, SafeBreach researcher Alon Leviev introduced the Windows Downdate tool as a proof of concept. This tool is capable of creating persistent and irreversible downgrades on Windows Server systems, as well as Windows 10 and 11 components.
Leviev explained that these tools execute version-rollback attacks designed to revert fully updated software to earlier versions, making previously fixed vulnerabilities exploitable to compromise systems and gain unauthorized access.
Furthermore, Leviev highlighted the tool’s capability to expose PCs to older vulnerabilities in drivers, DLLs, Secure Kernel, NT Kernel, the Hypervisor, and more. He shared examples of using the tool for CVE-2021-27090, CVE-2022-34709, CVE-2023-21768, and PPLFault patches, as well as downgrading the hypervisor, kernel, and bypassing VBS’s UEFI locks.
The Windows Downdate tool is now live! It enables users to downgrade Windows Updates, exposing past vulnerabilities in DLLs, drivers, NT kernel, Secure Kernel, Hypervisor, IUM trustlets, and more! https://t.co/59DRIvq6PZ
— Alon Leviev (@_0xDeku) August 25, 2024
The tool is concerning as it remains undetectable by EDR solutions, allowing PCs to appear up-to-date while being vulnerable. Leviev also identified methods to disable Windows virtualization-based security (VBS), including Hypervisor-Protected Code Integrity (HVCI) and Credential Guard.
Microsoft addressed security concerns by releasing a security update (KB5041773) on August 7, fixing the Windows Secure Kernel Mode privilege escalation flaw and other vulnerabilities. They also provided security tips for Windows users to enhance protection against threats.
While the Windows Downdate tool demonstrates potential risks, it was developed as a proof of concept for identifying vulnerabilities before malicious actors exploit them. Leviev reported his findings to Microsoft in February 2024, and hopefully, the necessary fixes will be implemented soon.
