Windows Update Downgrade Attack Exposes Fully-Updated Systems to Old Vulnerabilities

August 7, 2024

At Black Hat 2024, SafeBreach security researcher Alon Leviev disclosed two zero-day vulnerabilities that could be exploited to 'unpatch' fully updated Windows 10, 11, and Windows Server systems. The vulnerabilities, tracked as CVE-2024-38202 and CVE-2024-21302, could be used in downgrade attacks, a technique where threat actors force an updated device to revert to older software versions, thereby reintroducing vulnerabilities that can be exploited.

Leviev discovered that the Windows update process could be manipulated to downgrade critical system components, including dynamic link libraries (DLLs) and the NT Kernel. Despite these components being outdated, the operating system reported that it was fully updated, with recovery and scanning tools unable to detect any issues.

By exploiting the zero-day vulnerabilities, Leviev was also able to downgrade the Secure Kernel and Isolated User Mode Process of Credential Guard, as well as Hyper-V's hypervisor, thereby exposing past privilege escalation vulnerabilities. Leviev stated, 'I discovered multiple ways to disable Windows virtualization-based security (VBS), including its features such as Credential Guard and Hypervisor-Protected Code integrity (HVCI), even when enforced with UEFI locks. To my knowledge, this is the first time VBS's UEFI locks have been bypassed without physical access.'

The downgrade attack, dubbed 'Windows Downdate', was revealed six months after Leviev reported the vulnerabilities to Microsoft. The tech giant is still working on a fix for the vulnerabilities, which can be used to elevate privileges, create malicious updates, and reintroduce security flaws by replacing Windows system files with older versions.

Microsoft has stated that it is not currently aware of any attempts to exploit these vulnerabilities in the wild and has issued advisories with recommendations to help reduce the risk of exploitation until a security update is released. Leviev emphasized the significance of his findings by stating, 'I was able to show how it was possible to make a fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term 'fully patched' meaningless on any Windows machine in the world.' He also suggested that other operating system vendors could potentially be susceptible to similar downgrade attacks.

Latest News

• CISA Includes Microsoft COM for Windows Vulnerability in Known Exploited Vulnerabilities Catalog
• Critical Security Flaw in Rockwell Automation's ControlLogix 1756 PLCs Threatens Industrial Manufacturing
• Google Patches Kernel Zero-Day Vulnerability in Android, Amidst Targeted Exploits
• Critical Security Bypass Vulnerability Found in Rockwell Automation ControlLogix 1756 Devices
• StormBamboo APT Group Breaches ISP to Deliver Malware