'Windows Downdate' vulnerability downgrades systems to older, less secure versions
At the Black Hat security conference in Las Vegas, new research has uncovered a critical vulnerability in Windows 11 and Windows 10, dubbed "Downdate." This flaw, identified by Alon Leviev of SafeBreach Labs, exploits the Windows Update mechanism to downgrade systems to older, less secure versions, thereby exposing them to historical vulnerabilities and potentially allowing attackers to gain full control.
Microsoft has acknowledged the issue and is in the process of developing a complex patch to resolve it. Leviev's research was motivated by the "BlackLotus UEFI bootkit" malware campaign, which similarly involved downgrading the Windows boot manager. By manipulating the Windows Update process, Leviev discovered he could downgrade the entire operating system or specific components, effectively disabling Windows' Virtualization-Based Security (VBS) and targeting privileged kernel code.
The vulnerability hinges on exploiting the "PoqexecCmdline" key in the update process, enabling undetected manipulation and downgrading of critical Windows components. Microsoft is actively working on mitigations, including revoking vulnerable VBS system files, to prevent exploitation.