Windows Downdate: A Research Tool That Could Turn Into a Hacker's Weapon

Researchers had previously identified a vulnerability within the Windows 10/11 update mechanism. Despite Microsoft's efforts to mitigate potential security risks by imposing various restrictions, a flaw was discovered that allowed for system downgrades.

This vulnerability not only permits the successful downgrade of the system but also deceives the system into believing it is fully updated to the latest version. The flaw impacts Windows 10, Windows 11, and Windows Server systems.

What's the significance of downgrading? It re-exposes vulnerabilities that were previously fixed. Microsoft releases security updates monthly to address vulnerabilities, and older system versions are rife with security flaws. Therefore, a successful downgrade can easily exploit these historical vulnerabilities.

Researchers could even downgrade components like the Windows NT kernel, NTFS driver, and Filter Manager driver to their original versions, posing a complex and highly dangerous vulnerability to the Windows operating system.

Microsoft has addressed this vulnerability in the security update released on August 7. With the fix in place, researchers have now introduced a tool targeting this vulnerability: Windows Downdate.

Windows Downdate Project URL: https://github.com/SafeBreach-Labs/WindowsDowndate

With this tool, security researchers can bypass certain functionalities of Windows Update to create custom downgrade packages. If the downgrade is successful, it could be used in conjunction with previous vulnerabilities to launch targeted attacks.

The researchers also exploited vulnerabilities CVE-2024-21302 and CVE-2024-38202. Due to the inability of Endpoint Detection and Response (EDR) technologies to recognize these, attacks could occur without any alerts from EDR systems.

On GitHub, researchers provided examples, including downgrading the Hyper-V virtual machine manager to a 2022 version, restoring the Windows NT kernel to its original version, and downgrading other Windows components and previously installed patches.

It's important to note that these vulnerabilities have been fixed before the tool was created and released for research and testing purposes. However, hackers could also utilize the tool for attacks, making it crucial for Windows PC and Windows Server users and businesses to install the latest patches promptly.