Windows ‘downgrade’ attack tool is now in the wild. How to protect yourself

A few weeks ago, security researcher Alon Leviev revealed a frightening Windows vulnerability that allows attackers to “downgrade” a secure Windows system and unpatch security flaws, making the hacked system open to all kinds of attacks.

Well, the hypothetical just became reality as Leviev created a downgrade tool and made it freely available on the web.

Windows Downdate comes to life

The tool, which is written in Python, is named “Windows Downdate” and can be downloaded via this GitHub page. It currently works with Windows 10, Windows 11, and Windows Server.

Using Windows Downdate, attackers can revert critical Windows elements such as DLLs, drivers, system kernels, Hyper-V hypervisor, and other system components to older versions that still contain security vulnerabilities that were later fixed via updates.

As the Windows user, you won’t notice this happening in the background and you’ll likely go on with your everyday tasks believing that your Windows system is still up to date and secure with the latest patches. In reality, your Windows computer is silently made susceptible.

The security researcher informed users via X/Twitter that he made his tool available to download free of charge:

If you have not checked it out yet, Windows Downdate tool is live! You can use it to take over Windows Updates to downgrade and expose past vulnerabilities sourced in DLLs, drivers, the NT kernel, the Secure Kernel, the Hypervisor, IUM trustlets and more!https://t.co/59DRIvq6PZ— Alon Leviev (@_0xDeku) August 25, 2024

The two vulnerabilities exploited by the tool are described in these two documents: CVE-2024-38202 and CVE-2024-21302. Microsoft has already closed the latter, but remains aware of the former and is still working to address that one as well.

How to protect yourself

Now, to be fair, Windows Downdate is meant to be used for researching and testing various vulnerabilities. And it’s not like you can use to willy-nilly attack anyone you want — Alon Leviev certainly wouldn’t have published this tool if hackers could use it to attack others.

Rest assured that Windows Downdate must be launched by the Windows user themself in order to downgrade their Windows PC. It cannot be used to execute a downgrade remotely.

But that doesn’t mean hackers won’t try. They might try to adapt the tool into a malicious executable, then send it to people in hopes that they’ll unknowingly run it and compromise their own systems.

Related: Simple actions that keep you much safer online

Which means keeping yourself safe from this particular downgrade tool involves paying special attention to emails and links from unknown senders who want you to download unsolicited files. Furthermore, never download files from any website that you don’t trust 100 percent.

As long as you never run Windows Downdate on your own PC, you’re safe. You should also always use up-to-date virus scanners, which can recognize and warn you about malicious files.

Further reading: The best antivirus apps for Windows PCs