In a nutshell: Researchers have developed a cyberattack that reverses Windows security updates to exploit previously patched vulnerabilities. Although they cannot deploy the malware remotely, users should observe standard security practices, even on fully updated operating systems. Microsoft has released a detailed guide for minimizing the risk of a downgrade attack as the company develops a more comprehensive solution.
Security researchers from SafeBreach labs have published the code for software that can roll back Windows to reopen old security vulnerabilities. Microsoft hasn't fully addressed the issue yet, but instituting a strict revocation policy can help defend against it until a proper fix is available.
Attackers can use the exploit, which the researchers dubbed Downdate, to revert Windows to an outdated version and then assume complete control over a system using previously patched flaws. Downdate can sidestep security measures like virtualization-based security (VBS), Windows Defender, UEFI locks, and Credential Guard. Windows 10, 11, and Server versions 2019 and later are affected.
SafeBreach released the Downdate software on GitHub to facilitate further research of the issue. The current version can only be used by the person physically operating the PC, but hackers could theoretically integrate it into malware payloads.
Microsoft lists the threat under two CVEs – 2024-21302 and 2024-38202. It started working on a solution when SafeBreach alerted it to the vulnerability in February. However, the company said that the process is slow because Downdate affects numerous aspects of Windows, and a solution will require extensive testing.
In the meantime, developers have a mitigation method that can provide an extra layer of security. The Windows support website includes instructions for revoking outdated VBS system files, which causes the UEFI firmware to institute additional checks during startup. However, the procedure risks making a system unbootable if users aren't careful. Microsoft advises users and admins not to use it on earlier versions of Windows, and all boot devices must first install updates released after August 13, 2024. The rule also applies to external boot media and the Windows Recovery Environment.
Although Downdate affects fully updated versions of Windows, users should always remain up-to-date with security patches and install Microsoft's remedy for the vulnerability when it releases. The company also suggests that users remain cautious when checking email and only install software from trusted sources.