One of the most important advices when it comes to the security of electronic devices is to make sure that they are up to date.

A security researcher discovered a new attack that downgrades Windows devices permanently. Information on the attack are available on the SafeBreach website.

Microsoft releases monthly security updates for Windows. It may also release out-of-bounds security updates; these are released when new vulnerabilities are actively exploited.

Good to known: Downgrading refers to uninstalling certain updates from a device. This may refer to uninstalling newer feature updates, but also to uninstalling a newer version of Windows.

While it is sometimes necessary to downgrade a PC, for instance when a new version is causing issues that cannot be fixed at the time, the process may also be used to remove certain security updates or protections from the operating system.

The Windows Downgrade Attack

Security researcher Alon Leviev developed the tool Windows Downdate to demonstrate that downgrade attacks are possible, even on fully patched versions of Windows.

He describes the tool in the following way: "a tool to take over the Windows Update process to craft fully undetectable, invisible, persistent, and irreversible downgrades on critical OS components—that allowed me to elevate privileges and bypass security features".

With the help of the tool, Leviev was able to turn fully patched and secured Windows devices to outdated Windows devices that were "susceptible to thousands of past vulnerabilities".

Leviev unveiled the research project at Black Hat USA 2024 and Def Con 32.  He managed to downgrade a fully patched Windows system successfully during demonstrations and prepared the systems in a special way, so that Windows Update would not find new updates.

To make matters worse, the downgrade attack is both undetectable by endpoint detection and response solutions and invisible in regards to the operating system's components. In other words, the operating system appears up-to-date, when in fact it is not.

The downgrade is also persistent and irreversible. The latter means that scan and repair tools to not detect issues or may repair the downgrade.

You may check out the blog post on the SafeBreach website for technical details.

Microsoft's response

Microsoft was informed about the vulnerability in advance. It is tracking the issues here:

• CVE-2024-21302 -- Windows Secure Kernel Mode Elevation of Privilege Vulnerability
• CVE-2024-38202 -- Windows Update Stack Elevation of Privilege Vulnerability

The maximum severity of both issues was set to important by Microsoft.

Microsoft has already added a detection to Microsoft Defender for Endpoint. This is designed to alert customers of exploit attempts.

The company is recommending several actions next to this. While they do not "mitigate the vulnerability", they "reduce the risk of exploitation".

In a nutshell:

• Configure “Audit Object Access” settings to monitor attempts to access files, such as handle creation, read / write operations, or modifications to security descriptors.
• KAuditing sensitive privileges used to identify access, modification, or replacement of VBS related files could help indicacte attempts to exploit this vulnerability.
• Protect your Azure tenant by investigating administrators and users flagged for risky sign-ins and rotating their credentials.
• Enabling Multi-Factor Authentication can also help alleviate concerns about compromised accounts or exposure.

Closing Words

The attack does require administrative privileges. A good precaution is to use a regular user account for day-to-day activities on Windows PCs. Microsoft will release a fix for the issue in the future.

What is your take on this? Feel free to leave a comment down below.