While Windows Updates are generally intended to protect us from the latest threats, there is now a tool called Windows Downdate that can undo all Windows Updates, leaving your PC vulnerable to previously patched vulnerabilities.
Developed by SafeBreach researcher Alon Leviev as a proof-of-concept, Windows Downdate exploits a flaw in Windows Update to install older updates without patched vulnerabilities. This tool downgrades core components like DLLs, drivers, and the NT kernel while bypassing verification, making the changes invisible and irreversible.
Leviev’s experimentation with Windows Downdate revealed the potential to expose fully patched Windows machines to past vulnerabilities, essentially rendering the term “fully patched” meaningless. The tool can disable future updates and evade detection by recovery and scanning tools.
Leviev also identified vulnerabilities in the Windows virtualization stack, downgrading components like Credential Guard’s Isolated User Mode Process and Hyper-V’s hypervisor. Even with enforced UEFI locks, Leviev found ways to disable virtualization-based security in Windows.
Although Windows Downdate poses a significant threat by undoing all security patches and exposing PCs to various threats, Leviev responsibly reported the exploit to Microsoft in February 2024. Microsoft has issued CVEs and is working on fixing the vulnerability to prevent malicious exploitation.
