A newly discovered vulnerability in Windows Update, revealed by security researcher Alon Levie of SafeBreach at the Black Hat 2024 conference, poses a serious threat to users of Windows 10, Windows 11, and Windows Server. Known as a downgrade attack, this flaw allows attackers to revert a secure Windows system to a previous version, thereby reintroducing vulnerabilities that were previously patched.
This vulnerability enables attackers to uninstall security updates, effectively rolling back a system to an outdated state with known security holes. This scenario undermines the security measures that users rely on when they regularly update their systems.
Microsoft has been aware of this issue since February 2024 but has yet to release a comprehensive fix. In the meantime, Microsoft has published CVE-2024-38202 and CVE-2024-21302 to help mitigate the risk until a formal patch is available. The flaw allows hackers to exploit the update process, modifying DLL files, drivers, and the NT kernel to older versions that reintroduce vulnerabilities.
Levie’s research also uncovered that the downgrade attack affects the entire virtualization stack, including Hyper-V’s hypervisor, Secure Kernel, and Credential Guard. Notably, the attack can bypass Virtualization-Based Security (VBS) UEFI locks, a first in the field of security research.
While there have been no known exploitations of this vulnerability yet, Microsoft advises users to follow the security notes provided to minimize the risk until a patch is released.