There's a scary new way to undo Windows security patches

Security patches for Windows are essential to protect your PC from threats, but downgrade attacks are one way to circumvent Microsoft's patches. A security researcher wanted to show how fatal they can be.

SafeBreach security researcher Alon Leviev mentioned in a company blog post that they had developed something called “Windows Downdate Tool” as a proof of concept. The tool performs permanent and irreversible downgrades on Windows Server systems and Windows 10 and 11 components.

Leviev explains that his tool (and similar threats) perform a version rollback attack, “designed to roll back an immunized, fully up-to-date software to an older version. They allow malicious actors to uncover and exploit previously fixed/patched vulnerabilities to compromise systems and gain unauthorized access.”

He also mentions that you can use the tool to expose the PC to older vulnerabilities that originate in drivers, DLLs, Secure Kernel, NT Kernel, the hypervisor, and more. Leviev further posted the following on X (formerly Twitter): “Aside from custom downgrades, Windows Downdate provides easy-to-use use cases for reverting patches for CVE-2021-27090, CVE-2022-34709, CVE-2023-21768, and PPLFault, as well as examples for downgrading the hypervisor, kernel, and bypassing VBS's UEFI locks.”

If you haven't tried it yet, the Windows Downdate Tool is now available! You can use it to apply Windows Updates, downgrade, and disclose past vulnerabilities in DLLs, drivers, the NT kernel, the Secure Kernel, the hypervisor, IUM trustlets, and more!

— Alon Leviev (@_0xDeku) 25 August 2024

What's also troubling is that the tool is undetectable because it can't be blocked by Endpoint Detection and Response (EDR) solutions. Your Windows computer will keep telling you it's up to date when it's not. It has also discovered several ways to disable Windows' virtualization-based security (VBS), including Hypervisor-Protected Code Integrity (HVCI) and Credential Guard.

Microsoft released a security update (KB5041773) on August 7 to fix the privilege escalation flaw CVE-2024-21302 in Windows Secure Kernel Mode, as well as a patch for CVE-2024-38202. Microsoft also released some tips to help Windows users keep themselves safe, such as configuring the “Audit Object Access” settings to look for file access attempts. The release of this new tool shows how vulnerable PCs are to all kinds of attacks and that you should never be careless when it comes to cybersecurity.

The good news is that we can rest easy for now, as the tool was developed as a proof-of-concept, an example of “white hat hacking” to discover vulnerabilities before threat actors do. Moreover, Leviev has submitted his findings to Microsoft in February 2024, and hopefully the software giant will have the necessary fixes soon.