SafeBreach cybersecurity researcher Alon Leviev has released the Windows Downdate tool, which can pointwise “roll back” elements of Windows 10, Windows 11, and Windows Server systems to open already patched vulnerabilities. This was reported by Bleeping Computer.
Windows Downdate is available as an open source Python program and a pre-compiled Windows executable.
Leviev also shared numerous use cases that allow you to roll back the Hyper-V hypervisor (to a two-year-old version), the Windows kernel, the NTFS driver, and the Filter Manager driver (to their base versions), as well as other Windows components and previously applied security patches.
“You can use it to take over Windows Updates to downgrade and expose past vulnerabilities sourced in DLLs, drivers, the NT kernel, the Secure Kernel, the Hypervisor, IUM trustlets and more,” explains the researcher.
Leviev says that the use of this tool is undetectable because it cannot be blocked by endpoint detection and response (EDR) solutions, and Windows Update continues to report that the target system has been updated.
Microsoft has responded and advises users to wait for an update that will close this vulnerability. The company also asks users to follow the recommendations to protect themselves from attacks using Windows Downdate.
Remediation measures include configuring Object Access Audit settings to monitor file access attempts, restricting update and restore operations, using access control lists to restrict file access, and privilege auditing to detect attempts to exploit this vulnerability.
Loading comments …