Downgrade attacks open patched systems to malware

A new report by the former SafeBreach researcher Alon Leviev is raising alarms about the risks posed by downgrade attacks on Microsoft Windows. In a blog post, Leviev, who now works for Microsoft, explained that his latest bypass could allow a malicious actor to load unsigned kernel drivers on a fully patched Windows system. Those could then be used to disable security features, deploy and disguise malicious code and processes, and so on.

Leviev’s research builds upon earlier findings he unveiled at the Black Hat Briefings and DEF CON conferences in Las Vegas this past August. In that work, Leviev demonstrated the use of a custom tool, Windows Downdate, that enabled him to downgrade critical Windows components such as dynamic link libraries (DLLs), drivers, and the NT kernel, swapping in older versions of key components with known, exploitable vulnerabilities, without being detected.

After downgrading the various Windows components, Leviev demonstrated, the OS reported that it was fully updated and was unable to install updates. Microsoft issued a patch for one of the flaws he discovered, CVE-2024-21302, a privilege escalation flaw, in August. The second flaw, CVE-2024-38202, a stack elevation of privilege vulnerability in Windows update, was addressed in the company’s October Patch Tuesday release.

However, in an interview for our RL Live series at Black Hat, Leviev warned that the risks posed by Windows downgrade attacks were structural and stretched well beyond the specific flaws covered by the patches for Windows Update.

Here's what you need to know about Leviev's research — and a key lesson for your team.

See ConversingLabs Live: Leviev discusses his Windows downgrade research

How Windows downgrade risk goes downstream

In his latest research, Leviev set out to prove that the Windows downgrade attacks went beyond immediate concerns. Using his Downdate tool to revive "ItsNotASecurityBoundary,” a Windows Digital Signature Enforcement (DSE) bypass that was first reported by Gabriel Landau, a researcher at the firm Elastic Security in July — and subsequently patched by Microsoft. ItsNotASecurityBoundary was described by Elastic as a new bug class that the firm dubbed “False File Immutability” flaws — essentially a way of exploiting incorrect assumptions that Windows makes about file immutability — or the ability to alter file contents for malicious purposes.

Landau found that he could modify files on which write access had been prohibited by triggering page faults when the file is accessed in memory, thereby causing it to be reread by the Windows page fault handler, which then allowed for modifications to the file.

Using the Downdate tool, Leviev modified ci.dll, the Windows module containing the ItsNotASecurityBoundary patch, reverting the file to the unpatched version on an otherwise fully patched Windows 11 machine. That then allowed him to execute the ItsNotASecurityBoundary exploit.

The concept of so-called downgrade attacks isn’t exactly new. As Leviev pointed out, BlackLotus Labs’ famous UEFI Bootkit tool relies on a downgrade attack to revert the Windows boot manager to a version vulnerable to CVE-2022-21894, an exploit that enables hackers to bypass Windows Secure Boot feature.

However, Leviev’s research highlights a potentially fruitful avenue of attack for malicious actors that have gained a foothold on compromised systems or networks. It also reveals a wide gap in threat monitoring and endpoint detection tools, which generally do not flag evidence of unexplained downgrades of Windows components.

Why the integrity of components matters

Josh Knox, a senior cybersecurity technologist at ReversingLabs, said that while organizations focus heavily on preventing malicious updates, "downgrade attacks show we must also secure the integrity of previously installed components."

Each legitimate but vulnerable historical version of Windows components represents a potential weapon in an attacker's arsenal. It's not enough to simply patch and move forward — we need to actively prevent the reintroduction of known-vulnerable code, treating old versions as carefully as we treat new updates.

Josh Knox

The Windows downgrade compromise is the latest to highlight detection gaps in traditional endpoint detection as well as application security testing (AST) tools. "By downgrading, basically, I could ... create files, delete files, do everything that I wanted," Leviev told ReversingLabs.

The downgrade attacks — as well as recent supply chain compromises — point to the need for deeper visibility into the software running in your organization, and the ability to detect unexplained or suspicious changes to both applications (physical and virtual) and cloud based services. Modern threats demand modern software supply chain security tools that employs technologies such as complex binary analysis and reproducible builds.

To learn more, see my conversation with Leviev at Black Hat. He explains how downgrade attacks work — and the dire security implications, which extend beyond Windows and reach across other platforms as well.