Windows Update is generally a safety net, diligently pushing patches to protect us from the latest threats. But what if a tool existed that could undo every single Windows Update, leaving your computer exposed to every vulnerability Microsoft thought it had fixed? That tool, terrifyingly, exists. It’s called Windows Downdate, and it was created by SafeBreach researcher Alon Leviev as a proof-of-concept, showcasing the dangers of vulnerabilities.
While its intent was ethical, the impact of Windows Downdate falling into the wrong hands could be devastating. It exploits a flaw in Windows Update, allowing the installation of older updates where vulnerabilities haven’t been patched. Leviev used the tool to downgrade critical system components like dynamic link libraries, drivers, and even the NT kernel, bypassing verification systems completely. The result? A fully patched system, now susceptible to thousands of past vulnerabilities, making the term ‘fully patched’ meaningless. Worse, the OS reports itself as up to date, blocking future updates and fooling recovery tools.
The vulnerability extends beyond core components. Leviev also demonstrated the ability to downgrade crucial security features like Credential Guard and Hyper-V, effectively turning off virtualization-based security (VBS), a crucial layer of protection. This bypass was achieved even with UEFI locks enforced, a first of its kind.
Windows Downdate essentially un-patches every security update, leaving PCs exposed to a multitude of threats while deceptively reporting itself as fully updated. While this tool was developed to expose vulnerabilities, its potential for malicious use is alarming, and Leviev suspects similar exploits could exist in other operating systems like MacOS and Linux.
The good news is that Leviev responsibly reported his findings to Microsoft in February 2024. In response, Microsoft issued two CVEs (CVE-2024-21302 and CVE-2024-38202) and is actively working to patch this critical vulnerability. The hope is that Microsoft will act swiftly to address this exploit before unethical actors can leverage it for malicious purposes.
