At the Black Hat 2024 conference, security researcher Alon Levie from SafeBreach unveiled a disturbing vulnerability in Windows Update that allows attackers to downgrade secure Windows systems, exposing them to previously patched security flaws. This type of attack, known as a downgrade attack, affects Windows 10, Windows 11, and Windows Server.
The vulnerability permits attackers to uninstall critical security updates, reverting a system to an older, less secure version. This could be a nightmare scenario for users who rely on regular updates to protect their systems from threats.
Microsoft has known about this issue since February 2024 but has not yet addressed it fully. To mitigate the risk until a patch is available, Microsoft has released CVE-2024-38202 and CVE-2024-21302, which offer guidance on limiting potential damage. The flaw allows attackers to exploit the update mechanism to replace updated DLL files, drivers, and the NT kernel with outdated versions that contain known vulnerabilities.
Levie’s research also revealed that the downgrade attack extends to the virtualization stack, affecting components such as Hyper-V’s hypervisor and Secure Kernel. Additionally, attackers can disable Virtualization-Based Security (VBS) features, including Credential Guard, even when UEFI locks are in place, a significant breakthrough in bypassing these protections.
Currently, there have been no known exploitations of this vulnerability, but Microsoft recommends following its security notes to reduce the risk until an official update is released.