Recently, researchers discovered an operating system downgrade vulnerability targeting the Microsoft Windows kernel. This attack is called the Windows downdate technique. It exploits a vulnerability in the Windows update process that allows attackers to degrade critical system components while updating the system, rendering some patched vulnerability fixes ineffective. More specifically, this attack can degrade dynamic link libraries, drivers, and even critical operating system components such as NT, including the entire virtualization stack of virtualization security.

The researchers presented their findings at the Black Hat 2024 conference and provided more details in a subsequent detailed presentation. He found that it was possible to hack the Windows Update process and reduce the security level of key components of the operating system, such as DLLS and the NT kernel. Using these zero-day vulnerabilities, it is possible to degrade the operating system's security kernel and isolate user-mode processes, the results of which were published by the researchers at Black Hat2024, with many details provided in the detailed report. For example, it is found that the Windows update process can be hacked to reduce the security level of key components of the operating system, such as DLL and NT kernel. These zero-day vulnerabilities degrade the operating system security kernel and isolate user-mode processes, as well as Hyper-V's hypervisor, exposing past permissions upgrade vulnerabilities.

This downgrade attack exploits two zero-day vulnerabilities, tracking numbers CVE-2024-38202 and CVE-2024-21302. An attacker could exploit these vulnerabilities to degrade Credential Guard's security kernel and isolate user-mode processes and Hyper-V's hypervisor, exposing past privilege escalation vulnerabilities. Attackers can create malicious updates and reintroduce security vulnerabilities by replacing Windows system files with older versions.

Microsoft officials have issued a notice about the vulnerability, including mitigation recommendations. Microsoft says there is currently no evidence that these vulnerabilities have been exploited and recommends that mitigation recommendations be taken before security updates are released to help reduce the risk of exploitation. Microsoft has also released KB5042562, which provides guidance for preventing rollbacks of Virtualization-based Security (VBS) related security updates, which may be related to the downgrade attack described above. This shows that Microsoft is proactively responding to these security issues and taking steps to protect users from potential attacks.

Microsoft's fixes to the CVE-2024-38202 and CVE-2024-21302 vulnerabilities include: issuing a security patch, which was made available for download on October 8, 2024; It is recommended to update WinRE to protect against vulnerabilities, the specific steps are in the CVE FAQ; Provides mitigation measures to help reduce risk for users who cannot update immediately; It is recommended that users conduct permission audit and implement access control to reduce risks. Provide guidance to shut down VBS when necessary to prevent attacks; Emphasis on design review to ensure system security, especially against de-escalation attacks; The emphasis is on monitoring and detecting de-escalation behaviors, even if they do not cross security boundaries. Users should apply the update as soon as possible and follow Microsoft's guidelines to protect system security.