Updated August 28 with release of unpatched Windows Downdate exploit.
Don’t you just hate it when that happens. You accidentally hit publish, then delete, then realize nothing is ever really deleted online. And you watch as people post and write about the mistake, just to make it all worse. Well that’s what just happened with Microsoft’s seemingly bizarre revelation of a new and much improved Windows update—but only for the less than 30% of you that have shifted to Windows 11.
As Windows Latest explains,“a Windows PC needs to reboot after installing an update… but Microsoft has been trying to change that with ‘hotpatching’. Recently, Microsoft published a support document related to the feature and then removed it.”
This revelation comes courtesy of a post on X, with Phantomofearth spotting the mistake before it was erased. Fortunately, the web archive shows a draft document with the somewhat telltale headline “Hotpatch for Windows (Ge) - 2024.08 B.” The rest of the document is just a boilerplate on how to create a support doc, bizarrely.
The manner of all this is surprising, but we already knew hotpatching was on the way, removing the need for constant reboots after every update and ensuring that security fixes are faster and more seamless. Hotpatching, Microsoft says, “works by patching the in-memory code of running processes without the need to restart the process.”
Read More: Telegram’s Unique Appeal—Here’s One Reason Users Swarm To The App
In the current era of regular zero-days, this is a major improvement. Forbes’ contributor Davey Winder reported on the flurry of Windows Patch Tuesday patches just this month, with “fixes for a total of 90 vulnerabilities across… Of these, the Microsoft Security Response Center warns that five Windows vulnerabilities have confirmed and active cyber attacks against them already.”
Reboots are one of the (many) Windows bugbears. As PCWorld puts it, “it’s been the routine for decades now, basically for as long as Windows updates have been around. We hate it because it interrupts our workflows and forces us to start over, often at the most inconvenient times.” Hopefully that could all be about to change. Albeit not for the 70% of Windows users yet to move across to Windows 11, of course.
This won’t remove rebooting entirely, it seems certain that regular reboots will still be required and that hotpatching will be just interim or point fixing. The best info we seem to have so far is that a reboot will be required for every third update, with two hotpatches in between. It does present a neat option for urgent fixes, though.
ForbesNew Google Chrome Deadline—21 Days To Update Or Delete Your BrowserBy Zak Doffman
Windows Central reported in February that “Microsoft intends to use hot patching on Windows 11 to deliver monthly security updates without requiring the user to restart. However, this doesn't mean you won't be required to restart for a pending update ever again. Hot patching relies on a baseline update that requires a reboot every few months. This means in an ideal world, only four monthly security updates will require a reboot a year, those being in January, April, July, and October.”
“Ge” in the deleted doc refers to Germanium, itself the code for Windows 11 24H2 “We may see a republishing of the support document in the future,” Windows Latest says, which it notes has already featured in Inside rebuilds, and which “the Redmond giant appears to be implementing with the upcoming 24H2 version update.”
It’s been a tricky few months for Windows, and the latest Recall headlines won’t help, as that particular privacy nightmare comes back to life. But the more alarming news for Windows users will be the release of the Downdate tool—an as yet unpatched vulnerability that allows an attacker to roll back a Windows install such that the system becomes vulnerable to previously patched vulnerabilities.
As the developer Alon Leviev explained when he previewed the tool for Black Hat USA 2024, “downgrade attacks—also known as version-rollback attacks—are a type of attack designed to revert an immune, fully up-to-date software back to an older version. They allow malicious actors to expose and exploit previously fixed/patched vulnerabilities to compromise systems and gain unauthorized access.”
Leviev’s findings were shocking to say the least: “I was able to make a fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term ‘fully patched’ meaningless on any Windows machine in the world.”
MORE FROMFORBES ADVISOR
Microsoft says it was “notified that an elevation of privilege vulnerability exists in Windows Update, potentially enabling an attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS). However, an attacker attempting to exploit this vulnerability requires additional interaction by a privileged user to be successful.”
With the tool now live—and for the time being not yet fully patched, it’s critical that any concerned users—especially enterprises—are aware of Microsoft’s advisory:
- Configure “Audit Object Access” settings to monitor attempts to access files, such as handle creation, read / write operations, or modifications to security descriptors.
- Audit File System - Windows 10 | Microsoft Learn
- Apply a basic audit policy on a file or folder - Windows 10 | Microsoft Learn
- Audit users with permission to perform Update and Restore operations to ensure only the appropriate users can perform these operations.
- Audit: Audit the use of Backup and Restore privilege (Windows 10) - Windows 10 | Microsoft Learn
- Implement an Access Control List or Discretionary Access Control Lists to restrict the access or modification of Update files and perform Restore operations to appropriate users, for example administrators only.
- Access Control overview | Microsoft Learn
- Discretionary Access Control Lists (DACL)
- Auditing sensitive privileges used to identify access, modification, or replacement of Update related files could help indicate attempts to exploit this vulnerability.
- Audit Sensitive Privilege Use - Windows 10 | Microsoft Learn
ForbesGoogle Play Store App Deletion—Now Just 5 Days AwayBy Zak Doffman
Microsoft says that while it is working on “a security update that will mitigate this vulnerability… it is not yet available.” The company also says it is “not aware of any attempts to exploit this vulnerability,” but warns that the “presentation regarding this vulnerability hosted at BlackHat on August 7… may change the threat landscape.”
All of which yet again reinforces the need for current support. This matters because Microsoft is still battling to push the other 70% of Windows users who can’t (given hardware limitations) or won’t (preferring Windows 10) to upgrade. With little more than a year to run before Windows 10 is end of life, the flurry of recent threats should terrify anyone without ongoing security support.
