A Windows Update Flaw Allows for "Downgrade Attacks"

A significant flaw in Microsoft Windows' update architecture has been discovered that allows attackers to downgrade fully patched systems, reintroducing old vulnerabilities. SafeBreach Labs researcher Alon Leviev unearthed this exploit.

The vulnerability, showcased at the Black Hat 2024 conference, has been dubbed "Windows Downdate." It exploits the Windows Update process via the manipulation of an XML file, enabling undetectable downgrades of essential operating system components.

As Leviev explained to WIRED, "I found a downgrade exploit that is fully undetectable because it is performed by using Windows Update itself, which the system trusts." Even though the system's critical components are downgraded, the system falsely reports as being fully updated, leaving users unaware of the underlying vulnerabilities.

These downgrade attacks, also known as version-rollback attacks, are not just theoretical. They have been proven to effectively revert a system to a previous state where known vulnerabilities exist, exposing the system to potential exploits.

The implications of this flaw are far-reaching. The attack allows hackers to downgrade various critical OS components, including dynamic link libraries (DLLs), drivers, and even the NT kernel, which is the core of the Windows operating system. Moreover, the attack extends to security features like Virtualization-Based Security (VBS), Credential Guard, and Hyper-V’s hypervisor, compromising their integrity.

This vulnerability is particularly alarming because it not only bypasses traditional security measures but also evades detection by endpoint detection and response (EDR) solutions.

Microsoft has been informed of these vulnerabilities since February 2024, but a comprehensive fix is still in development. The company has issued advisories (CVE-2024-38202 and CVE-2024-21302) in the meantime.

The complexity of the issue means that a full patch will take time. "We are actively developing mitigations to protect against these risks while following an extensive process involving a thorough investigation, update development across all affected versions, and compatibility testing, to ensure maximized customer protection with minimized operational disruption," a Microsoft spokesperson stated.

Users and organizations are advised to follow Microsoft's guidance to reduce the risk of exploitation until a security update is released.