Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Tom’s Hardware
Tom’s Hardware
Technology
Jeff Butts

Now available to all, Downdate tool silently downgrades Windows security patches

Hacker.

At Black Hat 2024, SafeBreach researcher Anon Leviev demonstrated a tool that could silently undo security patches installed on computers running Windows 10, Windows 11, and Windows Server. Through such a downgrade attack, threat actors could reintroduce old security vulnerabilities. Several months later, Leviev has released this tool as an open-source Python-based program and a pre-compiled Windows executable. 

Using the tool, dubbed Windows Downdate, it’s possible to circumvent parts of Windows Update to make custom downgrade packages. These then expose past security vulnerabilities and allow users to compromise those systems as if they’d never been patched in the first place. 

Leviev’s tool exploits the CVE-2024-21302 and CVE-2024-38202 vulnerabilities. Its use is undetectable because endpoint detection and response (EDR) solutions cannot block it. Furthermore, Windows Update continues to report that the targeted system is up-to-date, even though it’s actually been downgraded.

Along with the tool itself, Leviev provided several examples of its use. In these examples, users can downgrade the Hyper-V hypervisor to a two-year-old version. The examples also explain how to revert the Windows Kernel, the NTFS driver, and the Filter Manager driver to their original versions. Instructions also walk through downgrading other Windows components and previously applied security patches.

The security researcher also encouraged others to use the tool for "further research and to find additional vulnerabilities."

Microsoft released a security update on August 7 to address the CVE-2024-21302 Windows Secure Kernel Mode privilege escalation flaw. However, there is not yet a patch for CVE-2024-38202, a Windows Update Stack elevation of privilege vulnerability.

Until Microsoft releases a security update for CVE-2024-38202, the company says users should follow recommendations outlined in the security advisory released earlier this month to safeguard against Windows Downdate downgrade attacks.

These recommendations include configuring “Audit Object Access” settings to monitor file access attempts, restricting update and restore operations, utilizing Access Control Lists to limit file access, and doing regular audits to identify attempts to exploit the vulnerability.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.