Security experts have recently uncovered a new threat targeting Microsoft Windows users that could potentially leave every system vulnerable. Known as ‘Downgrade attacks,’ these attacks exploit two zero-day vulnerabilities to revert a fully patched Windows device back to its vulnerable state.
Windows Downgrade Attacks Can Reverse System Updates
A detailed blog post by researchers at SafeBreach sheds light on the Downgrade attacks affecting Windows systems. These attacks have the capability to reverse the patching of a target system, essentially rolling back its security updates to a previous state. This exposes the system to known vulnerabilities, making it an easy target for cyber threats.
The ability to carry out these attacks stems from two critical zero-day flaws in Windows:
- CVE-2024-38202 (CVSS 7.3; high severity): This privilege escalation vulnerability affects Windows Backup, allowing for VBS bypass and the unpatching of target systems.
- CVE-2024-21302 (CVSS 6.7; medium severity): Another privilege escalation flaw impacts Windows systems that support Virtualization Based Security (VBS), enabling the reintroduction of patched vulnerabilities and data theft.
The researchers have developed a specialized tool called Downdate, which bypasses security measures and targets crucial OS components like DLLs, drivers, and the NT kernel to effectively downgrade them. This precise manipulation reintroduces previously patched vulnerabilities without detection by the operating system, leaving the system seemingly secure to the user.
Through their research, the experts were able to compromise various OS components, including VBS UEFI locks, without physical access to the target system. This allowed them to fully revert the system to an unpatched, vulnerable state.
For more insights and a demonstration of the attack, you can view the demo video shared by the researchers here. Their findings were also presented at the recent Black Hat 2024 conference.
While awaiting a comprehensive patch, Microsoft has confirmed that they are actively working on implementing relevant mitigations in their security update.
Feel free to share your thoughts in the comments section below.
