8 August 2024

Windows Downgrade attack exposes fully patched systems to old flaws


Windows Downgrade attack exposes fully patched systems to old flaws

SafeBreach security researcher Alon Leviev exposed two security vulnerabilities that could be exploited to perform downgrade attacks on fully updated Windows systems.

The technique effectively “unpatch” systems, reintroducing previously fixed vulnerabilities and rendering the notion of a “fully patched” Windows machine virtually meaningless.

The vulnerabilities, tracked as CVE-2024-38202 and CVE-2024-21302, affect Windows 10, Windows 11, and Windows Server platforms.

Leviev demonstrated how attackers could exploit these flaws to subvert the Windows Update process itself. Using a custom tool he developed, dubbed “Windows Downdate,” Leviev showed that it is possible to force an up-to-date Windows system to roll back critical components—such as dynamic link libraries (DLLs) and even the NT Kernel—to older, vulnerable versions. Despite these downgrades, the Windows Update service falsely reports that the system is fully updated.

As Leviev explained, the downgrade attack is undetectable because it cannot be blocked by endpoint detection and response (EDR) solutions, and it’s also invisible since Windows Update reports that a device is fully updated.

By downgrading key components like Credential Guard's Secure Kernel, the Isolated User Mode Process, and Hyper-V's hypervisor, the researcher managed to expose the systems to a multitude of past privilege escalation vulnerabilities. In essence, the attack reintroduces fixed vulnerabilities as though they were new, effectively turning them into zero-days once more.

Microsoft has published security advisories addressing the two unpatched vulnerabilities. The advisories provide temporary mitigations to reduce the risk of exploitation while the company works on a permanent fix.

Microsoft said that it is not currently aware of any active attempts to exploit these vulnerabilities in the wild.

Back to the list

Latest Posts

What is Vulnerability Management? A Beginner's Guide

What is Vulnerability Management? A Beginner's Guide

In this article will try to cover basics of vulnerability management process and why it is important to every company.
11 September 2024
Cyber Security Week in Review: September 6, 2024

Cyber Security Week in Review: September 6, 2024

In brief: the US charges Russian GRU hackers for attacks on Ukraine, Apache, Cisco, Zyxel patch high-risk flaws, Google fixes Android zero-day, and more.
6 September 2024
Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Some of the documents appeared to be part of legitimate Red Team exercises, while other were intended for malicious purposes.
5 September 2024