Microsoft update leak – Good news for 30% of Windows users

Updated on August 28th with the release of the unpatched Windows Downdate exploit.

Isn't it just annoying when something like this happens? You accidentally press “Publish,” then “Delete,” and then realize that nothing ever Really deleted online. And you watch as people post and write about the bug, only to make matters worse. That's exactly what just happened with Microsoft's seemingly bizarre unveiling of a new and much-improved Windows Update – but only for the less than 30% of you who have upgraded to Windows 11.

As Windows Latest explains: “A Windows PC must restart after installing an update… but Microsoft tried to change this with 'hotpatching.' Recently, Microsoft published a support document about this feature and then removed it.”

This revelation is thanks to a post on X where Phantomofearth spotted the bug before it was deleted. Thankfully, the web archive shows a draft document with the somewhat telltale heading “Hotpatch for Windows (Ge) – 2024.08 B”. The rest of the document is, oddly enough, just standard instructions on how to create a support document.

The way this all happens is surprising, but we already knew that hotpatching was on the way. It eliminates the need for constant reboots after each update and makes security fixes faster and more seamless. Hotpatching, says Microsoft, “works by patching the in-memory code of running processes without requiring the process to be restarted.”

In the current era of regular zero-day attacks, this represents a significant improvement. Forbes' contributor Davey Winder reported on the flood of Windows Patch Tuesday patches this month alone, with “fixes for a total of 90 vulnerabilities in … Of these, there are already confirmed and active cyberattacks on five of them, according to the Microsoft Security Response Center alert.”

Restarts are one of the (many) Windows annoyances. PCWorld puts it this way: “This has been routine for decades, basically since Windows updates were introduced. We hate it because it interrupts our workflows and forces us to start over, often at the most inconvenient times.” Hopefully that could change soon. But of course not for the 70% of Windows users who have not yet upgraded to Windows 11.

This won't eliminate the reboot completely, it seems certain that regular reboots will still be required and that hotpatches will only be a temporary or spot fix. The best information we seem to have so far is that a reboot will be required for every third update, with two hotpatches in between. However, it does represent a nice option for urgent fixes.

ForbesNew deadline for Google Chrome: 21 days to update or delete your browserFrom Zak Doffman

Windows Central reported in February that “Microsoft intends to use hot patching on Windows 11 to deliver monthly security updates without requiring the user to reboot. However, this doesn't mean you'll never have to reboot for a pending update again. Hot patching relies on a base update that requires a reboot every few months. This means that in an ideal world, only four monthly security updates per year will require a reboot, and they'll be in January, April, July, and October.”

“Ge” in the deleted document refers to germanium, even the code for Windows 11 24H2 “We may see a re-release of the support document in the future,” Windows Latest It says what was already included in inside modifications and what “the giant from Redmond is apparently implementing with the upcoming version update 24H2.”

It's been a rough few months for Windows, and recent headlines about the recall won't help matters as this particular privacy nightmare comes back to life. But the more alarming news for Windows users may be the release of the Downdate Tool – a previously unpatched vulnerability that allows an attacker to roll back a Windows installation in a way that leaves the system vulnerable to previously patched vulnerabilities.

As developer Alon Leviev explained when previewing the tool for Black Hat USA 2024, “Downgrade attacks – also known as version rollback attacks – are a type of attack that aims to roll back an immunized, fully up-to-date software to an older version. They allow malicious actors to uncover and exploit previously fixed/patched vulnerabilities to compromise systems and gain unauthorized access.”

Leviev's findings were shocking, to say the least: “I was able to make a fully patched Windows machine vulnerable to thousands of past vulnerabilities, so that fixed vulnerabilities became zero-day vulnerabilities and the term 'fully patched' lost its meaning on every Windows machine in the world.”

Microsoft says it has been “notified of an elevation of privilege vulnerability in Windows Update that may allow an attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or bypass some features of Virtualization-Based Security (VBS). However, an attacker attempting to exploit this vulnerability would require additional interaction from a privileged user to be successful.”

Since the tool is now live – and not yet fully patched – it is important that all affected users – especially businesses – are aware of Microsoft’s warning:

ForbesDeleting apps from the Google Play Store – now only 5 days awayFrom Zak Doffman

Microsoft says that while a “security update that mitigates this vulnerability is being worked on… it is not yet available.” The company also says it is “not aware of any attempts to exploit this vulnerability,” but warns that the “presentation on this vulnerability that took place at BlackHat on August 7th… could change the threat landscape.”

All of this underscores once again the need for up-to-date support. This is important because Microsoft is still struggling to convince the other 70% of Windows users who are unable or unwilling to upgrade due to hardware limitations (and prefer Windows 10). With just over a year left until Windows 10's end of life, the spate of recent threats should scare the crap out of anyone without ongoing security support.