How to guard against Windows downgrade attacks

Windows Downdate is an attack that can roll back updates to your OS to reintroduce vulnerabilities and allow attackers to take full control of your system. How to mitigate the risk?

Windows Downdate vulnerability: exploitation techniques and countermeasures

All software applications, including operating systems, contain vulnerabilities, so regular updates to patch them are a cornerstone of cybersecurity. The researchers who invented the Windows Downdate attack targeted this very update mechanism, aiming to stealthily roll back a fully updated Windows system to an older version containing vulnerable files and services. This leaves the system exposed to well-known exploits and deep-level compromise — including the hypervisor and secure kernel. Worse, standard update and system-health checks will report that everything’s up to date and fine.

Attack mechanism

The researchers actually found two separate flaws with slightly different operating mechanisms. One vulnerability — assigned the CVE-2024-21302 ID and dubbed Downdate — is based on a flaw in the update installation process: the downloaded update components are controlled, protected from modification, and digitally signed, but at one of the intermediate installation stages (between reboots), the update procedure creates and then uses a file containing a list of planned actions (pending.xml). If attackers are able to create their own version of that file and then add information about it to the registry, Windows Modules Installer service (TrustedInstaller) will execute the instructions in it upon reboot.

In actual fact, the contents of pending.xml do get verified, but it’s done during previous installation stages — TrustedInstaller doesn’t re-verify it. Of course, it’s impossible to write whatever you like to the file and install arbitrary files this way — since they must be signed by Microsoft, but replacing system files with older files developed by Microsoft is quite feasible. This can re-expose the system to long-patched vulnerabilities — including critical ones. Adding the necessary keys related to pending.xml to the registry requires administrator privileges, after which a system reboot must be initiated. However, these are the only significant limitations. This attack doesn’t require elevated privileges (for which Windows dims the display and prompts an admin for additional permission), and most security tools won’t flag the actions performed during the attack as suspicious.

The second vulnerability — CVE-2024-38202 — allows an actor to manipulate the Windows.old folder, where the update system stores the previous Windows installation. Although modifying files in this folder requires special privileges, an attacker with regular user-rights can rename the folder, create a new Windows.old from scratch, and place outdated, vulnerable versions of Windows system files in it. Initiating a system restore then rolls Windows back to the vulnerable installation. Certain privileges are required for system restoration, but these aren’t administrator privileges and are sometimes granted to regular users.

VBS bypass and password theft

Since 2015, the Windows architecture has been redesigned to prevent a Windows kernel compromise leading to that of the whole system. This involves a range of measures collectively known as virtualization-based security (VBS). Among other things, the system hypervisor is used to isolate OS components and create a secure kernel for performing the most sensitive operations, storing passwords, and so on.

To prevent attackers from disabling VBS, Windows can be configured to make this impossible — even with administrator rights. The only way to disable this protection is by rebooting the computer in a special mode and entering a keyboard command. This feature is called a Unified Extensible Firmware Interface (UEFI) lock. The Windows Downdate attack bypasses this restriction as well by replacing files with modified, outdated, and vulnerable versions. VBS doesn’t check system files for up-to-dateness, so they can be substituted with older, vulnerable versions with no detectable signs or error messages. That is, VBS isn’t disabled technically, but the feature no longer performs its security function.

This attack allows for the replacement of secure-kernel and hypervisor files with two-year-old versions containing multiple vulnerabilities whose exploitation leads to privilege escalation. As a result, attackers can gain maximum system privileges, full access to the hypervisor and memory-protection processes, and the ability to easily read credentials, hashed passwords, and also NTLM hashes from memory (which can be used for expanding the network attack).

Protection against Downdate

Microsoft was informed of the Downdate vulnerabilities in February 2024, but it wasn’t until August that details were released as part of its monthly Patch Tuesday rollout. Fixing the bugs proved to be a tough task fraught with side effects — including the crashing of some Windows systems. Therefore, instead of rushing to publish another patch, Microsoft for now has simply issued some tips to mitigate the risks. These include the following:

  • Auditing users authorized to perform system-restore and update operations, minimizing the number of such users, and revoking permissions where possible.
  • Implementing access control lists (ACL/DACL) to restrict access to, and modification of update files.
  • Configuring event monitoring for instances where elevated privileges are used to modify or replace update files — this could be an indicator of vulnerability exploitation.
  • Similarly, monitoring the modification and replacement of files associated with the VBS subsystem and system-file backups.

Monitoring these events using SIEM and EDR is relatively straightforward. However, false positives can be expected, so distinguishing legitimate sysadmin activity from that of hackers ultimately falls to the security team.

All of the above applies not only to physical, but also virtual Windows machines in cloud environments. For virtual machines in Azure, we also advise tracking unusual attempts to log in with administrator credentials. Enable MFA and change the credentials in case such an attempt is detected.

One other, more drastic tip: revoke administrator privileges for employees who don’t need them, and mandate that genuine administrators (i) only perform administrative actions under their respective account, and (ii) use a separate account for other work.

Risky fixes

For those looking for more security, Microsoft offers the update KB5042562, which mitigates the severity of CVE-2024-21302. With this installed, outdated versions of VBS system files are added to the revoked list and can no longer be run on an updated computer. This policy (SkuSiPolicy.p7b) is applied at the UEFI level, so when using it you need to update not only the OS but also backup removable boot media. It’s also important to be aware that rollback to older installations of Windows would no longer be possible. What’s more, the update forcibly activates the User Mode Code Integrity (UMCI) feature, which itself can cause compatibility and performance issues.

In general, administrators are advised to carefully weigh the risks, and thoroughly study the procedure and its potential side effects. Going forward, Microsoft promises to release patches and additional security measures for all relevant versions of Windows — up to Windows 10, version 1507, and Windows Server 2016.

Tips