In March of last year, the vulnerability appeared BlackLotus UEFI Secure Boot, which was patched, but could bypass Secure Boot, VBS (Virtualization-based Security), HVCI (Hypervisor-Protected Code Integrity) and more, on fully updated systems.
Yesterday we reported on security researcher, Alon Leviev, developed Windows Downdate, a “tool that interferes with the Windows Update process to create completely undetectable, invisible, persistent, and irreversible downgrades to critical operating system components,” such as DLLs, drivers, and even the Windows kernel.
The researcher at Black Hat and DEF CON performed a deprecation attack on fully updated Windows.
In the video below, the Ancillary Function kernel driver (AFD.SYS) is downgraded on a system running Windows 11 23H2.
Anton Leviev provided a summary of how Windows Downdate works:
First, is completely undetectable so that endpoint detection and response (EDR) solutions cannot block it.
Second, the degradation was invisible. Downgraded items appear updated, even if they are technically downgraded.
Thirdly, the downgrade is permanent so that future software updates will not overwrite the files.
End, the degradation is irreversible, so scan and repair tools cannot detect or repair it.
Microsoft was notified of this vulnerability prior to public demonstration and is tracking the flaw in identifiers “CVE-2024-21302" and "CVE-2024-38202” on the MSRC website.
Watch the video