Microsoft: Zero-day vulnerability rolled back previous patches

Microsoft disclosed a critical zero-day vulnerability that rolled back previous patches for Windows 10 and exposed systems to old flaws.

In September's Patch Tuesday, Microsoft warned users of a critical Servicing Stack vulnerability, tracked as CVE-2024-43491, that received a CVSS rating of 9.8. Exploitation requires no user interaction and allows for remote code execution (RCE). Microsoft credited the Windows product team for discovery.

CVE-2024-43491 affects the Servicing Stack component of the Windows operating system, which enterprise customers use to install updates. In a security advisory Tuesday, Microsoft labeled the zero-day flaw as "exploited" and said CVE-2024-43491 rolled back fixes on Windows 10 systems for older vulnerabilities affecting optional components in the OS.

However, Microsoft later stated in the advisory that it has not observed CVE-2024-43491 exploitation in the wild, which apparently caused some confusion. The company warned that the flaw allows attackers to exploit known Windows 10 vulnerabilities that were patched between March and August, and that some of those flaws had been previously exploited in the wild.

"This CVE documents the rollback of fixes that addressed vulnerabilities which affected some Optional Components for Windows 10 (version 1507). Some of these CVEs were known to be exploited, but no exploitation of CVE-2024-43491 itself has been detected," Microsoft wrote in the advisory. "In addition, the Windows product team at Microsoft discovered this issue, and we have seen no evidence that it is publicly known."

Vulnerability management vendor Tenable addressed the confusion around CVE-2024-43491 and offered an explanation in a blog post published on Tuesday.

"While this CVE has been labeled as exploited-in-the-wild, confusingly Microsoft states that there is no evidence of direct exploitation of CVE-2024-43491, rather through observed rollbacks of CVEs related to Original Components for Windows 10 (version 1507). Because some of these rolled back CVEs have been observed to have exploited, this prompted Microsoft to apply the exploitability index assessment for this vulnerability as "Exploitation Detected," Tenable wrote in the blog post.

Satnam Narang, senior staff research engineer at Tenable, told TechTarget Editorial that the issue is that the Servicing Stack vulnerability has left organizations vulnerable to the previously patched flaws up until this month's release. He urged organizations to apply both the Servicing Stack update and the Windows Security Updates immediately.

"The danger lies in the fact that previously known and exploited flaws that are often associated with targeted attacks end up being utilized by a broader set of cybercriminals, including ransomware groups and their affiliates. The downstream effect of known vulnerabilities is that they provide a reliable attack path for attackers seeking to capitalize on delays in patching. In this instance, organizations that are diligent in patching in a timely manner were also left vulnerable," Narang said.

It's unclear when the Windows product team discovered CVE-2024-43491, or if any Windows 10 users have been impacted by the rollbacks. TechTarget Editorial contacted Microsoft for comment but the company had not responded at press time.

Microsoft instructed users to install the September 2024 Servicing Stack update to address CVE-2024-43491. The advisory noted that Windows 10, version 1507 reached end of support in 2017 for devices running the pro, home, enterprise, education and enterprise Internet of Things (IoT) editions.

The advisory also warned that there is nothing customers can do to prevent the previously mitigated vulnerabilities from rolling back besides applying the Servicing Stack update.

"If you have installed any of the previous security updates released between March and August 2024, the rollbacks of the fixes for CVEs affecting Optional Components have already occurred," the advisory said. "To restore these fixes customers need to install the September 2024 Servicing Stack Update and Security Update for Windows 10."

CISA added CVE-2024-43491 to its Known Exploited Vulnerabilities catalog on Tuesday. As a result, federal agencies are required to address the vulnerability by Oct. 1.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.