bleepingcomputer[.]com/news/microsoft/windows-update-downgrade-attack-unpatches-fully-updated-systems/
safebreach[.]com/blog/downgrade-attacks-using-windows-updates/
I think the security researcher's explanation [lower link] is actually interesting, using regular language without all the tech jargon. Microsoft isn't aware of this attack being used in the wild, but when they made that statement it hadn't been published yet -- it's guaranteed there are people working on it right now to see if it's worth pursuing. [Over?] simplified, Windows Update relies on a script to update/swap files when you restart Windows. Turns out that script can be edited to swap out pretty much any files you choose, and Windows Update can be triggered to run it. The end result is that you can undo fixes that Microsoft has released for well known vulnerabilities, and the whole thing is undetectable -- unless you start comparing individual file versions there's no way to tell.