Tool that can undo Windows security patches
Security researcher Alon Leviev has published a tool that can undo Windows security patches – without anyone noticing. The “Windows Downdate” tool makes it possible to restore old vulnerabilities and therefore poses a great danger.
Security vulnerabilities caused by downgrade attacks
Microsoft is already responding with further security updates and various recommendations for controlling the systems. But let’s start from the beginning: Security researcher Alon Leviev from SafeBreach has released a tool called “Windows Downdate” that enables security experts and potential attackers to undo security patches on Windows systems.
The tool, which is available as an open source Python program and precompiled Windows executable, can be used on Windows 10, Windows 11 and Windows Server. Leviev first demonstrated the tool at Black Hat 2024 and has now made it available to the public. As he announced on X (formerly Twitter), Windows Downdate exploits the vulnerabilities CVE-2024-21302 and CVE-2024-38202 to bypass parts of the Windows Update process and create custom downgrade packages:
Dangerous opportunities for attackers
What’s worrying about Windows Downdate is its ability to operate unnoticed. Endpoint Detection and Response (EDR) solutions cannot block the tool, and Windows Update will continue to report that the system is up to date even if it has already been downgraded.
Leviev has provided several examples of how to use the tool. These show how to roll back the Hyper-V hypervisor to a two-year-old version, or roll back the Windows kernel, NTFS driver, and Filter Manager driver to their original versions. Other Windows components and previously applied security patches can also be rolled back.
I have discovered several ways to disable Windows-based Virtualization Security (VBS), including its features such as Credential Guard and Hypervisor-Protected Code Integrity (HVCI), even when they are enforced by UEFI locks. To my knowledge, this is the first time that VBS UEFI locks have been bypassed without physical access. Alon Leviev, security researcher at SafeBreach
Microsoft’s response and recommendations
Microsoft released a security update (KB5041773) on August 7 to fix the CVE-2024-21302 vulnerability. However, there is no patch available yet for CVE-2024-38202, the second vulnerability that allows the downgrade. Until an update is released, Microsoft recommends that users follow the recommendations listed in the security advisory from earlier this month. These recommendations include:
- Configuring Audit Object Access settings to monitor file access attempts
- Restriction of update and restore operations
- Using access control lists (ACLs) to limit file access
- Regular audits to identify attempts to exploit the vulnerability
Background and meaning of downgrades
In computer science, “downgrading” refers to the process of reverting software (or hardware) to an older version. Programs sometimes need to be downgraded to eliminate introduced bugs, restore removed features, or increase speed and/or usability. The term “downgrade” became particularly popular during the Windows Vista era, when many users wanted to return to Windows XP due to performance and compatibility issues.
In this case, many even referred to the downgrade as an “upgrade.” While downgrades can be useful in certain situations, the Windows Downdate tool poses a serious threat to the security of Windows systems. It allows attackers to restore targeted vulnerabilities and thus bypass Microsoft’s security measures. What do you think of this tool and its potential consequences? Do you see it as a useful tool for security researchers or a dangerous tool in the wrong hands?
Digital marketing enthusiast and industry professional in Digital technologies, Technology News, Mobile phones, software, gadgets with vast experience in the tech industry, I have a keen interest in technology, News breaking.
