Windows Downdate: Downgrade Attacks Using Windows Updates and Beyond EBook

The Windows Downdate attack, as detailed in the sources, hinges on the manipulation of the Windows Update process to achieve a persistent, invisible, and undetectable downgrade of critical system components. The attacker exploits a vulnerability in the update process by crafting a malicious action list (Pending.xml) that instructs the system to replace specific files with older, vulnerable versions. This manipulation is possible because the attacker can gain control over the Pending.xml file’s registry entry, bypassing Trusted Installer enforcement. By patching the action list parser (PoqExec.exe) and the system integrity checker (SFC.exe), the attacker ensures the persistence of the downgrade and avoids detection. The result is a system that falsely reports as fully updated, making the downgraded components appear legitimate and allowing previously patched vulnerabilities to be exploited. This attack underscores the need for enhanced downgrade protection mechanisms within operating systems to prevent the exploitation of fixed vulnerabilities through such methods.