Governance & Risk Management , Patch Management

Bashing Windows Bugs, Take 2: Microsoft Restores Nixed Fixes

A Confused Update Process Reinstalled Old, Exploitable Windows 10 Components
Bashing Windows Bugs, Take 2: Microsoft Restores Nixed Fixes
What was old was new again for some users of Windows 10 whose security fixes were accidently rolled back by Microsoft. (Image: Shutterstock)

Microsoft patched three zero-day vulnerabilities already exploited through in-the-wild-attacks in its September monthly dump. But the most important fix cleans up a prior update that inadvertently caused some Windows 10 machines to roll back security updates.

See Also: Stop Putting Off Patching

The rollback vulnerability only affects the Windows 10 Enterprise 2015 LTSB and IoT Enterprise 2015 LTSB editions. LTSB - the acronym stands for "long-term servicing branch" - is a pared-down versions of Windows meant to be used in more specialized types of environments where required features and functionality won't change, such as for some types of medical systems - including MRI and CAT scanners - as well as operating technology equipment such as industrial process controllers and air traffic control systems.

"These devices share characteristics of embedded systems: They are typically designed for a specific purpose and are developed, tested and certified before use," Microsoft said. "They are treated as a whole system and are, therefore, commonly 'upgraded' by building and validating a new system, turning off the old device, and replacing it with the new, certified device."

The computing giant tracks the flaw as CVE-2024-43491. Patch deactivation potentially occurred in any computer running version 1507 of Windows 10, but Microsoft stopped supporting other versions of that Windows edition, such as Home and Enterprise, in May 2017.

Windows components whose updates the flaw removed include Active Directory Lightweight Directory Services, Internet Explorer 11, Windows Fax and Scan, and Windows Media Player, among others.

"All later versions of Windows 10 are not impacted by this vulnerability," Microsoft said, adding that the previous versions of some of the components have been targeted previously by attackers.

To fix the vulnerability, affected users need to first install this month's servicing stack update - SSU KB5043936 - and then this month's Windows security update - in that order, Microsoft said.

Security firm Rapid7 said that while this vulnerability isn't good news, the likelihood that attackers used it seems low. "Microsoft notes that while at least some of the accidentally unpatched vulnerabilities were known to be exploited, they haven't seen in-the-wild exploitation of CVE-2024-43491 itself, and the defect was discovered by Microsoft," it said.

"All in all, while there are certainly more than a few organizations out there still running Windows 10 1507, most admins can breathe a sigh of relief on this one, and then go back to worrying about everything else," the company said.

Patched: 3 Actively Exploited Zero-Days

In total, the operating system giant's latest Patch Tuesday shipped fixes for 79 flaws, including three zero-days and seven critical vulnerabilities in SharePoint, Windows Network Address Translation and other OS features that attackers can exploit to remotely execute code and potentially take full control of a vulnerable system.

Here are the three zero-day vulnerabilities patched Tuesday by Microsoft, which are being actively exploited in the wild:

Windows Installer Escalation of Privilege Vulnerability

Microsoft hasn't detailed how this flaw, tracked as CVE-2024-38014 works, except to say it's easy to exploit and requires no user interaction. "An attacker who successfully exploited this vulnerability could gain 'system' privileges," it said. By default, that would grant them full access to any file stored on the system. Microsoft has also patched this flaw in Windows 11, version 24H2, which isn't set to be released for general availability until later this year, but which already comes installed on new Copilot+ devices. "Customers with these devices need to know about any vulnerabilities that affect their machine and to install the updates if they are not receiving automatic updates," it said.

Windows Mark of the Web Security Feature Bypass Vulnerability

Joe Desimone of Elastic Security Labs discovered and reported this vulnerability, CVE-2024-38217, to Microsoft. In an Aug. 6 blog post, he said the vulnerability ties to how Windows handles .lnk files, which attackers can exploit to bypass Windows Smart App Control and SmartScreen, which are designed to block malicious files and apps.

He dubbed the flaw "LNK stomping" and said, "We identified multiple samples in VirusTotal that exhibit the bug, demonstrating existing in-the-wild usage," which involves malicious files designed to exploit the flaw. The oldest known sample of a file designed to exploit the flaw dates from February 2018, meaning "this has been abused for a very long time indeed," Rapid7 said.

Microsoft Publisher Security Features Bypass Vulnerability

An attacker who exploits the vulnerability tracked as CVE-2024-38226 can bypass Microsoft Office defenses designed to "bypass Office macro policies used to block untrusted or malicious files," Microsoft said.

"An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer," it said

Microsoft said the attack cannot be automatically triggered via the Windows "preview pane," and it gave the vulnerability a CVSS score of 7.3, or "important," because it requires social engineering.

Fixes From Ivanti and Adobe

Adobe on Tuesday released its own batch of patches for the month, addressing 28 vulnerabilities across various products. The updates patch Adobe's Photoshop, Illustrator, Premiere Pro, After Effects, Acrobat Reader, Audition, Media Encoder and ColdFusion software. The vendor said it knows of no active exploitation of any of the flaws.

Also on Tuesday, Ivanti said it's patched flaws in its Endpoint Manager - aka EPM - 2024 and 2022 SU6, including critical vulnerabilities attackers could exploit to gain unauthorized access to the EPM core server. The company also shipped updates to address six high-severity vulnerabilities in Ivanti Workspace Control.

Ivanti also patched a one high-severity vulnerability in its Cloud Service Appliance version 4.6. That version of CSA is at end of life, wasn't due to receive any bug fixes after August and will likely never receive a security update again.

"Customers must upgrade to Ivanti CSA 5.0 for continued support," the vendor said. "CSA 5.0 is the only supported version and does not contain this vulnerability. Customers already running Ivanti CSA 5.0 do not need to take any additional action."

"We have no evidence of these vulnerabilities being exploited in the wild," Ivanti said.

The company said the slew of vulnerability discoveries is partly due to its increased tempo of internal code reviews. "In recent months, we have intensified our internal scanning, manual exploitation and testing capabilities, and have additionally made improvements to our responsible disclosure process so that we can promptly discover and address potential issues," it said. "This has caused a spike in discovery and disclosure, and we agree with CISA's statement that the responsible discovery and disclosure of CVEs is 'a sign of healthy code analysis and testing community.'"


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.eu, you agree to our use of cookies.