downgrading Archives

Winsage

April 25, 2025

Windows 11 25H2 shows signs of life: what can we expect?

The upcoming Windows 11 25H2 update is expected to be a modest enhancement rather than a major overhaul, continuing to use the Germanium codebase established with 24H2. A preview build, specifically build 27842 from the Canary Channel, has been identified, and references to GE25H2 were found in the AppraiserRes.dll file, which assesses PC compatibility for the new version. The update is anticipated to arrive in the latter half of the year, similar to previous incremental updates. Concerns exist regarding the stability of 25H2 compared to 24H2, which faced installation issues and compatibility problems. Windows 10 will reach the end of regular support on October 14, 2025, prompting users to transition to Windows 11. Smaller updates like enablement packages tend to present fewer stability risks, and Microsoft has not officially confirmed any details about 25H2 or its update process for versions 23H2 and 24H2. Speculation about Windows 12 continues, but its timeline remains uncertain.

Winsage

April 17, 2025

Windows 11 being offered on business PCs even when admins block it

Organizations using Microsoft Intune are facing an issue where a bug has caused unexpected upgrades to Windows 11, despite settings to block such updates. This problem has been acknowledged by Microsoft and has been present since April 12, affecting only devices managed through Intune. Microsoft is working on a resolution and recommends pausing all Windows feature updates via Intune. For devices that have already upgraded to Windows 11, organizations can either adapt to the new system or manually revert to Windows 10, as there is no automated rollback method provided by Microsoft. The manual process involves creating a bootable Windows 10 device and performing a fresh installation.

Winsage

April 11, 2025

Microsoft starts trimming the clock on Windows 10

Microsoft is testing a change that removes the seconds display from the Calendar flyout in Windows 10, coinciding with the operating system's approaching end-of-support date in October. The update to build 19045.5737 includes bug fixes but strips away the clock feature for some users as part of an A/B testing phase. User reactions on platforms like Reddit indicate frustration over this change, which may be linked to the new Outlook application introduced earlier this year. Restoring the previous functionality requires technical skills in registry editing, and the new design is criticized for providing less information and having a visually unappealing layout. While Windows 11 still supports the seconds display, some Windows 10 users do not have this feature. Microsoft has also released a checklist advising Windows 10 users to consider upgrading their machines.

AppWizard

November 12, 2024

WhatsApp bug is making messaging app unusable, showing green screen

A bug in the beta version 2.24.24.5 of WhatsApp has caused a green screen glitch that affects users, rendering the app inoperable when accessing chats. This issue primarily impacts beta testers and results in a complete transformation of the display into a solid green hue. Reports of the glitch have been shared across online platforms, with some users experiencing additional related issues, such as the app force-closing upon startup. The bug is confined to the beta version, and stable release users are unaffected. A suggested workaround for those impacted is to revert to an earlier app version, although this process can be complicated. WhatsApp's development team is expected to be working on a patch to resolve the issue.

Winsage

November 11, 2024

Support for Windows Mail, Calendar and People apps will finish at the end of this year as new Outlook elbows its way onto the center stage

Support for Windows Mail, Calendar, and People apps will cease on December 31, 2024. Starting January 1, 2025, users will be unable to send or receive emails through these apps, but they can export existing emails, events, and contacts to the new Outlook. The new Outlook offers advanced AI features, a consolidated view of email accounts, and enhanced security measures. Users can currently toggle between the new Outlook and the traditional Outlook interface, but the future of this option is uncertain. Some users have reported issues with the transition process, including unresponsive buttons. Many users are turning to third-party applications or web-based services as Microsoft encourages them to adapt to the new Outlook experience.

Winsage

October 28, 2024

Windows ‘Downdate’ Attack Makes Patched PCs Vulnerable

Recent findings have identified a vulnerability in fully patched Windows 11 systems that allows attackers to install custom rootkits, which can bypass endpoint security and maintain persistence on compromised systems. This vulnerability is linked to a downgrade attack technique demonstrated by SafeBreach researcher Alon Leviev at Black Hat USA 2024, using an exploit tool called Windows Downdate. This tool enables an attacker with administrative access to manipulate the Windows Update process, reverting patched components to vulnerable states. Leviev's demonstration showed that even systems using virtualization-based security (VBS) are at risk, as he could downgrade VBS features and expose previously fixed privilege escalation vulnerabilities. Microsoft has patched two vulnerabilities (CVE-2024-21302 and CVE-2024-38202) but has not addressed the core issue of the downgrade capability. Microsoft maintains that the ability for an admin-level user to gain kernel code execution does not cross a security boundary. Leviev released details of a new downgrade attack on October 26, using the Windows Downdate tool to revive a driver signature enforcement bypass attack. He categorized this flaw as False File Immutability (FFI), exploiting incorrect assumptions about file immutability. He noted that downgrading specific OS modules, like CI.dll, allows exploitation even with VBS enabled. Tim Peck from Securonix highlighted that the attacks exploit Windows' failure to validate DLL version numbers properly, enabling the use of outdated, vulnerable files. Microsoft is actively developing mitigations against these risks, including a security update to revoke outdated VBS system files, although specific measures and timelines are not yet disclosed.

Winsage

October 28, 2024

Windows Update takeover lets an attacker revive a patched flaw

Microsoft's approach to security vulnerabilities has been criticized for not classifying scenarios where an attacker with administrative privileges can execute kernel-level code as critical vulnerabilities. SafeBreach researchers highlighted that this narrow definition leaves systems vulnerable to custom rootkits that can bypass essential security controls. They identified CVE-2024-21302, a privilege escalation vulnerability affecting the Windows virtualization stack, and CVE-2024-38202, which allows attackers to exploit the Windows Update process to disable security features like Driver Signature Enforcement and virtualization-based security. Microsoft is actively developing mitigations for these vulnerabilities and has released a security update for CVE-2024-38202 on October 15, with further updates planned for CVE-2024-21302.

Winsage

October 28, 2024

Windows kernel components can be installed to bypass defense systems

Cybersecurity experts have discovered a method that allows cybercriminals to bypass Windows security features, specifically Driver Signature Enforcement (DSE), enabling the installation of rootkits on fully updated systems. Alon Leviev from SafeBreach reported that the exploit involves downgrading specific Windows kernel components, making Windows 11 devices particularly vulnerable. Despite notifying Microsoft, no fix has been implemented, as the company stated the vulnerability does not breach a “security boundary” since administrator access is required for exploitation. Leviev presented this vulnerability at the Black Hat and DEF CON 2024 conferences, introducing a tool called Windows Downdate that can reactivate previously patched vulnerabilities. He demonstrated downgrading components on Windows 11 to bypass DSE and install rootkits that disable security software. A key part of his attack involved replacing the ci.dll file with an unpatched version, which requires a system restart and disguises the action as a routine update. Leviev also showed methods to disable Virtualization-Based Security (VBS) by modifying settings and files. Microsoft is working on a solution to block outdated system files and prevent downgrade attacks, but the timeline for this fix is uncertain due to the need for thorough testing. Leviev advises organizations to remain vigilant against downgrade attacks until a resolution is available.

Winsage

October 28, 2024

Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel

A newly identified attack technique poses a risk to fully patched Windows systems by circumventing Microsoft's Driver Signature Enforcement (DSE), potentially enabling operating system downgrade attacks that allow malicious actors to load unsigned kernel drivers. This vulnerability is linked to two privilege escalation flaws in the Windows update mechanism, identified as CVE-2024-21302 and CVE-2024-38202, which can be exploited to revert updated systems to earlier versions with unpatched security weaknesses. A tool called Windows Downdate can hijack the Windows Update process, facilitating undetectable downgrades of critical OS components. The exploit takes advantage of a race condition to replace a verified security catalog file with a malicious version, allowing the loading of an unsigned kernel driver. The DSE bypass can be executed by downgrading the "ci.dll" library, but can be thwarted if Virtualization-Based Security (VBS) is active on the host. Attackers can disable VBS by manipulating registry keys, and the attack fails only if VBS is enabled with a UEFI lock and a "Mandatory" flag, which prevents booting if VBS files are corrupted. Microsoft has addressed the vulnerabilities in August and October 2024.

Winsage

October 26, 2024

New Windows Driver Signature bypass allows kernel rootkit installs

SafeBreach security researcher Alon Leviev has identified a vulnerability in the Windows operating system that allows attackers to downgrade kernel components, bypassing security measures like Driver Signature Enforcement (DSE). This vulnerability enables the installation of rootkits on fully patched systems. Leviev demonstrated that attackers can manipulate the Windows Update process to introduce outdated components without altering the system's patched status. He introduced a tool called Windows Downdate, which allows the creation of custom downgrades, exposing updated systems to previously patched vulnerabilities. Leviev's method, named "ItsNotASecurityBoundary," exploits a flaw in the DSE, allowing unsigned kernel drivers to be loaded and facilitating the deployment of rootkit malware. Despite Microsoft addressing the privilege escalation aspect of this vulnerability, it does not protect against downgrade attacks. Leviev's research shows that attackers can replace the 'ci.dll' file responsible for enforcing DSE with an unpatched version during the Windows Update process, thereby circumventing protections. He also discussed methods to disable Microsoft's Virtualization-based Security (VBS), which is designed to protect critical resources, by modifying registry keys. Leviev emphasizes the need for endpoint security tools to monitor downgrade procedures to mitigate these risks.