On Tuesday, Microsoft issued an alarming warning about an actively exploited critical vulnerability (CVE-2024-43491) in Windows Update. This flaw, rated 9.8 out of 10 on the CVSS severity scale, enables attackers to roll back crucial security fixes on certain versions of Windows, leaving affected systems vulnerable to previously mitigated threats.
Key Details of the Flaw
The vulnerability targets the Servicing Stack in specific versions of Windows 10, particularly Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB, which installed the March 12, 2024, Windows security update (KB5035858) or subsequent updates through August 2024. The issue was discovered in the Optional Components on these systems, where security patches were inadvertently rolled back, creating an opening for attackers to exploit vulnerabilities that had already been addressed.
Microsoft compared this flaw to the ‘Windows Downdate’ vulnerability, discussed earlier this year at Black Hat, which involved similar rollback attacks.
Affected Versions and Patch Instructions
While the flaw only impacts Windows 10 version 1507 (the initial version released in 2015), later versions of Windows 10 are not affected. Microsoft has urged all users of the impacted versions to immediately install the September 2024 Servicing Stack update (SSU KB5043936), followed by the Windows security update (KB5043083) to close this critical vulnerability.
Other Actively Exploited Zero-Days
In addition to the Windows Update vulnerability, Microsoft flagged three other zero-day vulnerabilities as actively exploited:
- CVE-2024-38226 – Security feature bypass in Microsoft Office Publisher.
- CVE-2024-38217 – Security feature bypass in Windows Mark of the Web.
- CVE-2024-38014 – Elevation of privilege vulnerability in Windows Installer.
With this latest disclosure, Microsoft has reported 21 zero-day attacks in 2024 that have exploited flaws across the Windows ecosystem.
September Patch Tuesday Summary
The September 2024 Patch Tuesday rollout included fixes for 80 security vulnerabilities affecting a wide range of Microsoft products. Seven of these vulnerabilities are rated critical, including those found in products such as Microsoft Office, Azure, SQL Server, Windows Admin Center, Remote Desktop Licensing, and the Microsoft Streaming Service.
Adobe Joins the Patch Rollout
Separately, Adobe released patches addressing 28 security vulnerabilities across its product portfolio. The most critical of these affects Adobe Acrobat and PDF Reader, where two memory corruption vulnerabilities could allow arbitrary code execution. Adobe also issued an important ColdFusion update to address a critical vulnerability (CVE-2024-41874), rated 9.8/10, which leaves businesses at risk of code execution attacks.
What to Do Next
If you're using Windows 10 Enterprise 2015 LTSB or IoT Enterprise 2015 LTSB, it’s essential to install the Servicing Stack update (SSU KB5043936) and the September 2024 Windows security update (KB5043083) immediately. For users of other Microsoft products, reviewing and applying the September Patch Tuesday updates is equally crucial to maintain a secure environment.
As always, staying up to date with the latest patches is one of the most effective ways to protect your systems from vulnerabilities like these.