A flaw targeting Windows Update could rollback versions of the operating system so it's easier to attack, according to Microsoft.
Microsoft revealed the critical vulnerability in its September "Patch Tuesday" update, but it's a similar style of attack spotted by a researcher last month.
In August, SafeBreach security researcher Alon Leviev revealed a "downgrade" attack. Leviev was able to rollback Windows to a previous state, leaving it vulnerable to an exploit that had since been patched.
The flaw would allow attackers to undo patches on that version of the OS, leaving computers unprotected for known vulnerabilities Internet Explorer 11, Windows Media Player, and more — making it easier for hackers to attack.
Microsoft said that this specific flaw has not been seen in use in the wild, meaning it was patched before hackers managed to make use of the vulnerability.
"This specific vulnerability impacted the Windows update system in a way that security patches for some components were rolled back to a vulnerable state and will have remained in a vulnerable state since March 2024," Kevin Breen, Senior Director Threat Research at Immersive Labs, said to Help Net Security.
"Some of these components were known to be exploited in the wild in the past, meaning attackers could still exploit them despite Windows update saying it is fully patched," Breen added.
What you need to know about the Windows 10 flaw
Thankfully, this vulnerability only appears to impact specific versions of Windows 10 — so if you've upgraded to Windows 11, this doesn't affect you or your users. The impacted versions of Windows 10 (version 1507) reached end of life in 2017, though there are enterprise editions that are still supported, Microsoft noted.
"Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015)," the company said in a statement
"This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10… systems that have installed the Windows security update released on March 12, 2024 (KB5035858 OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability."
To fix the servicing stack flaw in affected versions of Windows 10, admins or users simply need to install the September 2024 Servicing stack update followed by the September 2024 Windows security update. Microsoft notes the updates must be run in that order.
Adam Barnett, lead software engineer at Rapid7, added that the flaw has a high severity rating, but stressed that only limited versions of Windows were impacted.
"Also, Microsoft notes that while at least some of the accidentally unpatched vulnerabilities were known to be exploited, they haven’t seen in-the-wild exploitation of [the flaw] itself, and the defect was discovered by Microsoft," he said.
"All in all, while there are certainly more than a few organisations out there still running Windows 10 1507, most admins can breathe a sigh of relief on this one, and then go back to worrying about everything else."
Downgrading protections
Barnett noted that the flaw sounded "eerily similar" to the flaw that Leviev unveiled at the Black Hat and DefCon security conferences last month, but added there was "not obviously any substantial connection between the two." Perhaps, he suggested, Microsoft is simply looking for similar flaws.
Indeed, at the time, Leviev called for increased awareness of downgrade attacks, saying he saw no existing mitigations from Microsoft, though the company issued patches immediately. Leviev also noted that other OS makers should be aware of this style of attack.
"I found several vulnerabilities that I used to develop Windows Downdate — a tool to take over the Windows Update process to craft fully undetectable, invisible, persistent, and irreversible downgrades on critical OS components — that allowed me to elevate privileges and bypass security features," Leviev said in a blog post at the time.
"As a result, I was able to make a fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term “fully patched” meaningless on any Windows machine in the world."
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Microsoft justifies 365 price increases after MP concernsNews Microsoft’s UK VP of external affairs has defended the tech giant's price increases
-
Microsoft is ending support for the Remote Desktop app – here are three alternatives you can try insteadNews Microsoft has announced plans to end support for its Remote Desktop application in just over two months.
-
GitHub just launched a new free tier for its Copilot coding assistant – but only for a select group of developersNews Limited access to GitHub Copilot in VS Code is now available free of charge
-
Recall arrives for Intel and AMD devices after months of controversyNews Microsoft's Recall feature is now available in preview for customers using AMD and Intel devices.
-
Everything you need to know about the Microsoft outageNews After a day of chaos, the worst of the Microsoft outage appears to have passed, but some problems still remain
-
With one year to go until Windows 10 end of life, here’s what businesses should do to prepareNews IT teams need to migrate soon or risk a plethora of security and sustainability issues
-
Microsoft is doubling down on Widows Recall, adding new security and privacy features – will this help woo hesitant enterprise users?
News The controversial AI-powered snapshotting tool can be uninstalled, Microsoft says
-
Microsoft pulls Windows update after botched patch causes blue screens, reboot loopsNews Microsoft has pulled a Windows 11 update ahead of next week's Patch Tuesday after encountering a raft of issues
