Microsoft finally fixes dangerous Windows Update downgrade glitch.
I always advise individuals and organizations to apply the latest security updates from Microsoft as soon as possible. But what if a Windows Update was actually a Windows Downdate and rolled back your operating system environment to a point in time where those security updates had not been installed? Welcome to the very real situation that some Windows 10 users have found themselves exposed to. Thankfully, Microsoft has finally come up with a fix.
What Is CVE-2024-43491 And Why Is It So Dangerous?
The latest set of security fixes, collectively known as Patch Tuesday, have been rolled out by Microsoft. Among them are some particularly dangerous zero-days that can bypass Windows security protections. The most concerning, and highest criticality with a 9.8 out of 10 common vulnerabilities and exposures severity rating, however, could effectively rollback security fixes for certain Windows 10 users, with Microsoft confirming hackers would be able to exploit previously mitigated vulnerabilities even for those users who had installed the March 12 Windows security update and “other updates released until August 2024.”
According to Kev Breen, senior director of threat research at Immersive Labs, some of the Windows components that were left vulnerability by this rolling back of security updates “were known to be exploited in the wild in the past, meaning attackers could still exploit them despite Windows update saying it is fully patched.”
It appears that, on the particular versions of Windows impacted by the zero-day vulnerability, build version numbers checked by the Windows update service were improperly handled in code. Microsoft said that build version numbers crossed into a range that triggered a code defect. “This implies that there was an integer overflow vulnerability,” Breen said, “that meant optional components were detected as Not Applicable and therefore reverted back to their original unpatched versions.”
Which Versions Of Windows 10 Are Affected By CVE-2024-43491?
The pre-authentication remote code execution vulnerability that is CVE-2024-43491 doesn’t impact all versions of Windows 10. For that, we can all be grateful; I think we can all agree. For those who are affected, however, news of a final fix should have come much sooner. Luckily, it’s a relatively small group of users, specifically those with Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have also installed the March 12, 2024 Windows security update. “All in all,” Adam Barnett, lead software engineer at Rapid7, said, “while there are certainly more than a few organizations out there still running Windows 10 1507, most admins can breathe a sigh of relief on this one, and then go back to worrying about everything else.”
Only specific Windows 10 installations are affected by CVE-2024-43491
This doesn’t mean that it shouldn’t be taken very seriously by those who are running the affected Windows 10 versions. Not least, there are special patching instructions that need to be followed. “This servicing stack vulnerability is addressed by installing the September 2024 Servicing stack update (SSU KB5043936) AND the September 2024 Windows security update (KB5043083), in that order,” Microsoft said. According to Tyler Reguly, associate director of security research and development at Fortra, “this is one where organizations really need to pay attention to the details to determine if they are impacted and, if they are, they’ll need to pay close attention… it’s critical that the servicing stack update be installed before the Microsoft security update.”