23.9 C
New York
Saturday, September 7, 2024

Home windows Downdate software helps you to ‘unpatch’ Home windows techniques


Home windows Downdate software helps you to ‘unpatch’ Home windows techniques

SafeBreach safety researcher Alon Leviev has launched his Home windows Downdate software, which can be utilized for downgrade assaults that reintroduce previous vulnerabilities in up-to-date Home windows 10, Home windows 11, and Home windows Server techniques.

In such assaults, menace actors drive up-to-date focused gadgets to revert to older software program variations, thus reintroducing safety vulnerabilities that may be exploited to compromise the system.

Home windows Downdate is out there as an open-source Python-based program and a pre-compiled Home windows executable that may assist downgrade Home windows 10, Home windows 11, and Home windows Server system parts.

Leviev has additionally shared a number of utilization examples that permit downgrading the Hyper-V hypervisor (to a two-year-old model), Home windows Kernel, the NTFS driver, and the Filter Supervisor driver (to their base variations), and different Home windows parts and beforehand utilized safety patches.

“You should use it to take over Home windows Updates to downgrade and expose previous vulnerabilities sourced in DLLs, drivers, the NT kernel, the Safe Kernel, the Hypervisor, IUM trustlets and extra,” SafeBreach safety researcher Alon Leviev defined.

“Apart from customized downgrades, Home windows Downdate gives straightforward to make use of utilization examples of reverting patches for CVE-2021-27090, CVE-2022-34709, CVE-2023-21768 and PPLFault, in addition to examples for downgrading the hypervisor, the kernel, and bypassing VBS’s UEFI locks.”

Leviev-Windows-Downdate-tweet

As Leviev mentioned at Black Hat 2024 when he disclosed the Home windows Downdate downgrade assault—which exploits the CVE-2024-21302 and CVE-2024-38202 vulnerabilities—utilizing this software is undetectable as a result of it can’t be blocked by endpoint detection and response (EDR) options and Home windows Replace retains reporting that the focused system is up-to-date (regardless of being downgraded).

“I found a number of methods to disable Home windows virtualization-based safety (VBS), together with its options corresponding to Credential Guard and Hypervisor-Protected Code integrity (HVCI), even when enforced with UEFI locks. To my data, that is the primary time VBS’s UEFI locks have been bypassed with out bodily entry,” Leviev mentioned.

“Because of this, I used to be capable of make a completely patched Home windows machine vulnerable to 1000’s of previous vulnerabilities, turning fastened vulnerabilities into zero-days and making the time period “totally patched” meaningless on any Home windows machine on the planet.”

Whereas Microsoft launched a safety replace (KB5041773) to repair the CVE-2024-21302 Home windows Safe Kernel Mode privilege escalation flaw on August 7, the corporate has but to offer a patch for CVE-2024-38202, a Home windows Replace Stack elevation of privilege vulnerability.

Till a safety replace is launched, Redmond advises clients to implement suggestions shared within the safety advisory revealed earlier this month to assist defend in opposition to Home windows Downdate downgrade assaults.

Mitigation measures for this problem embrace configuring “Audit Object Entry” settings to observe file entry makes an attempt, limiting replace and restore operations, utilizing Entry Management Lists to restrict file entry, and auditing privileges to determine makes an attempt to use this vulnerability.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles