Microsoft: Zero-day vulnerability rolled back previous patches
On Patch Tuesday, Microsoft addresses a critical zero-day vulnerability that reversed previous fixes for older vulnerabilities and put Windows 10 systems at risk.
Microsoft disclosed a critical zero-day vulnerability that rolled back previous patches for Windows 10 and exposed systems to old flaws.
In September's Patch Tuesday, Microsoft warned users of a critical servicing stack vulnerability, tracked as CVE-2024-43491, that received a CVSS rating of 9.8. Exploitation requires no user interaction and allows for remote code execution. Microsoft credited the Windows product team for discovery.
CVE-2024-43491 affects the servicing stack component of the Windows operating system, which enterprise customers use to install updates. In a security advisory Tuesday, Microsoft labeled the zero-day flaw as "exploited" and said CVE-2024-43491 rolled back fixes on Windows 10 systems for older vulnerabilities affecting optional components in the OS.
However, Microsoft later stated in the advisory that it has not observed CVE-2024-43491 exploitation in the wild, which apparently caused some confusion. The company warned that the flaw lets attackers exploit known Windows 10 vulnerabilities that were patched between March and August, and that some of those flaws had been previously exploited in the wild.
"This CVE documents the rollback of fixes that addressed vulnerabilities which affected some Optional Components for Windows 10 (version 1507). Some of these CVEs were known to be exploited, but no exploitation of CVE-2024-43491 itself has been detected," Microsoft wrote in the advisory. "In addition, the Windows product team at Microsoft discovered this issue, and we have seen no evidence that it is publicly known."
Vulnerability management vendor Tenable addressed the confusion around CVE-2024-43491 and offered an explanation in a blog post published on Tuesday.
"While this CVE has been labeled as exploited in-the-wild, confusingly Microsoft states that there is no evidence of direct exploitation of CVE-2024-43491, rather through observed rollbacks of CVEs related to Optional Components for Windows 10 (version 1507). Because some of these rolled back CVEs have been observed to have been exploited, this prompted Microsoft to apply the exploitability index assessment for this vulnerability as 'Exploitation Detected,'" Tenable wrote in the blog post.
Satnam Narang, senior staff research engineer at Tenable, told TechTarget Editorial that the issue is that the servicing stack vulnerability has left organizations vulnerable to the previously patched flaws up until this month's release. He urged organizations to apply both the servicing stack update and the Windows security updates immediately.
"The danger lies in the fact that previously known and exploited flaws that are often associated with targeted attacks end up being utilized by a broader set of cybercriminals, including ransomware groups and their affiliates," Narang said. "The downstream effect of known vulnerabilities is that they provide a reliable attack path for attackers seeking to capitalize on delays in patching. In this instance, organizations that are diligent in patching in a timely manner were also left vulnerable."
It's unclear when the Windows product team discovered CVE-2024-43491 or if any Windows 10 users have been affected by the rollbacks. TechTarget Editorial contacted Microsoft for comment; the company responded, but did not address questions directly.
Microsoft instructed users to install the September 2024 servicing stack update to address CVE-2024-43491. The advisory noted that Windows 10 version 1507 reached end of support in 2017 for devices running the Pro, Home, Enterprise, Education and IoT Enterprise editions.
The advisory also warned that there is nothing customers can do to prevent the previously mitigated vulnerabilities from rolling back besides applying the servicing stack update.
"If you have installed any of the previous security updates released between March and August 2024, the rollbacks of the fixes for CVEs affecting Optional Components have already occurred," the advisory said. "To restore these fixes customers need to install the September 2024 Servicing Stack Update and Security Update for Windows 10."
CISA added CVE-2024-43491 to its Known Exploited Vulnerabilities catalog on Tuesday. As a result, federal agencies are required to address the vulnerability by Oct. 1.
Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.