Contact Info

Atlas Cloud LLC 600 Cleveland Street Suite 348 Clearwater, FL 33755 USA

[email protected]

Client Area
Recommended Services
Supported Scripts
WordPress
Hubspot
Joomla
Drupal
Wix
Shopify
Magento
Typeo3

Windows Downdate allows attackers to revert Windows systems to prior versions, effectively removing security updates and reinstating previous vulnerabilities.

A tool named Windows Downdate, crafted by Alon Leviev from SafeBreach, facilitates the downgrading of Windows 10, Windows 11, and Windows Server systems, posing severe security risks. This tool can revert systems to obsolete software versions, reintroducing previously patched vulnerabilities.

I initially covered the Downdate issue this month when it was first disclosed. Named “Downdate,” this vulnerability manipulates the update mechanism, which leans on interactions between user PCs and Microsoft servers concerning update repositories and action plans.

The tool, which is available both as an open-source Python script and a Windows executable on GitHub, targets various Windows components including the Hyper-V hypervisor, Windows Kernel, NTFS driver, and Filter Manager driver, reverting them to their original versions. Leviev has demonstrated how to use the Windows Downdate to reverse patches for certain vulnerabilities such as CVE-2021-27090, CVE-2022-34709, and CVE-2023-21768.

Windows Downdate tool is live! This tool enables users to revert Windows Updates, thereby exposing historical vulnerabilities in DLLs, drivers, the NT kernel, the Secure Kernel, the Hypervisor, IUM trustlets, and more! https://t.co/59DRIvq6PZ

— Alon Leviev (@_0xDeku) August 25, 2024

By exploiting vulnerabilities such as CVE-2024-21302 and CVE-2024-38202, the tool operates undetected by most endpoint detection and response (EDR) systems. Despite the downgrading, the Windows Update system inaccurately indicates that the system is up to date. This flaw allows attackers to disable Windows virtualization-based security features such as Credential Guard and Hypervisor-Protected Code Integrity (HVCI), even when these features are protected by UEFI locks.

Microsoft has recognized the problem by issuing the security patch KB5041773 to address CVE-2024-21302, yet CVE-2024-38202 remains unfixed. To prevent downgrade attacks, Microsoft recommends users adhere to procedures noted in their security notification, which includes setting up “Audit Object Access” configurations, restricting update and restore functions, applying Access Control Lists for file permission limitations, and checking system rights to notice exploitation activities.

The exploitation method known as Windows Downdate was showcased at both Black Hat USA 2024 Briefings and DEFCON 32, highlighting its impact on security systems. To deploy the tool, users are required to duplicate the repository, see to its installation through Python, and operate it with an XML configuration file that determines the files to be downgraded.


Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.

Share this Post
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x