Microsoft’s Accidental Leak Reveals New Hotpatching Feature for Windows 11
It’s frustrating when you accidentally publish something online, delete it, and then realize nothing is ever truly erased. This is precisely what happened with Microsoft, which accidentally revealed a new Windows update feature, hotpatching, but it’s only available for less than 30% of Windows 11 users.
The Hotpatching Feature
As reported by Windows Latest, Microsoft is working on a solution called “hotpatching” to avoid the need for restarts after updates. Although details were posted and quickly removed, a draft document with the headline “Hotpatch for Windows (Ge) – 2024.08 B” was captured by the web archive. The document, however, only included a generic template.
Hotpatching will update the in-memory code of running processes without needing to restart them. This is a significant improvement given the prevalence of zero-day vulnerabilities. Forbes contributor Davey Winder highlighted the large number of patches released during this month’s Windows Patch Tuesday, addressing 90 vulnerabilities, with active cyberattacks confirmed against five.
Impact on Windows Users
Reboots have long been a major annoyance for Windows users. PCWorld notes that reboots have disrupted workflows for decades. Hotpatching aims to reduce reboot frequency but won’t eliminate it entirely. Typically, a reboot will be required after every third update, with two hotpatches in between. Hotpatching is planned to deliver monthly security updates without requiring a restart, though a baseline update every few months will still necessitate reboots.
The term “Ge” in the deleted document refers to Germanium, the code name for Windows 11 24H2. This feature has already appeared in Insider builds and seems to be part of the upcoming update.
The Downdate Tool and Security Concerns
Recent issues include the release of the Downdate tool, which exposes a major security vulnerability. This tool allows attackers to roll back a Windows installation, reintroducing previously fixed vulnerabilities. Developer Alon Leviev demonstrated this at Black Hat USA 2024, showing how downgrade attacks can make fully patched systems vulnerable to thousands of past issues.
Microsoft has acknowledged an elevation of privilege vulnerability in Windows Update, potentially allowing attackers with basic user privileges to reintroduce mitigated vulnerabilities. While Microsoft is working on a security update, it is not yet available.
Recommendations for Users
Microsoft advises users, especially enterprises, to configure “Audit Object Access” settings to monitor file access attempts, apply basic audit policies, and implement Access Control Lists (ACLs) to restrict access to update and restore operations. Auditing sensitive privileges and access to update-related files can help detect attempts to exploit this vulnerability.
The current situation underscores the importance of ongoing support, particularly as Microsoft pushes users to upgrade before Windows 10 reaches its end of life Microsoft’s Hotpatching.