
Cybersecurity researchers have discovered a new Windows downgrade technique that bypasses Driver Signature Verification (DSE) on fully updated systems. This vulnerability allows attackers to use unsigned drivers to install rootkits and further hide malicious activity.
The downgrade method, developed by SafeBreach researcher Alon Leviev, uses a special Windows Downdate tool to hack the Windows update process and roll back critical OS components to older versions that contain vulnerabilities. For example, a downgrade could repair the “ItsNotASecurityBoundary” vulnerability, which bypasses driver signature verification, allowing attackers to load unsigned drivers at the kernel level. It provides an opportunity to bypass the main mechanisms of system protection, hide processes, network activity and maintain a permanent hidden presence in the system.
Downgrade attacks or attacks aimed at returning software to previous, unprotected versions to restore previously fixed vulnerabilities. The Windows Downdate vulnerability that allows such attacks has previously been used, notably to bypass Secure Boot in the case of the BlackLotus UEFI Bootkit, which targeted the Windows Boot Manager to gain low-level access. The vulnerability allows attackers to bypass the restrictions of Virtualization-Based Security (VBS), which normally protects system files from modification, even if UEFI Lock is enabled.