Microsoft patches rollback flaw in Windows 10

A flaw targeting Windows Update could rollback versions of the operating system so it's easier to attack, according to Microsoft.

Microsoft revealed the critical vulnerability in its September "Patch Tuesday" update, but it's a similar style of attack spotted by a researcher last month.

In August, SafeBreach security researcher Alon Leviev revealed a "downgrade" attack. Leviev was able to rollback Windows to a previous state, leaving it vulnerable to an exploit that had since been patched.

The flaw would allow attackers to undo patches on that version of the OS, leaving computers unprotected for known vulnerabilities Internet Explorer 11, Windows Media Player, and more — making it easier for hackers to attack.

Microsoft said that this specific flaw has not been seen in use in the wild, meaning it was patched before hackers managed to make use of the vulnerability.

"This specific vulnerability impacted the Windows update system in a way that security patches for some components were rolled back to a vulnerable state and will have remained in a vulnerable state since March 2024," Kevin Breen, Senior Director Threat Research at Immersive Labs, said to Help Net Security.

"Some of these components were known to be exploited in the wild in the past, meaning attackers could still exploit them despite Windows update saying it is fully patched," Breen added.

What you need to know about the Windows 10 flaw

Thankfully, this vulnerability only appears to impact specific versions of Windows 10 — so if you've upgraded to Windows 11, this doesn't affect you or your users. The impacted versions of Windows 10 (version 1507) reached end of life in 2017, though there are enterprise editions that are still supported, Microsoft noted.

"Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015)," the company said in a statement

"This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10… systems that have installed the Windows security update released on March 12, 2024 (KB5035858 OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability."

To fix the servicing stack flaw in affected versions of Windows 10, admins or users simply need to install the September 2024 Servicing stack update followed by the September 2024 Windows security update. Microsoft notes the updates must be run in that order.

Adam Barnett, lead software engineer at Rapid7, added that the flaw has a high severity rating, but stressed that only limited versions of Windows were impacted.

"Also, Microsoft notes that while at least some of the accidentally unpatched vulnerabilities were known to be exploited, they haven’t seen in-the-wild exploitation of [the flaw] itself, and the defect was discovered by Microsoft," he said.

"All in all, while there are certainly more than a few organisations out there still running Windows 10 1507, most admins can breathe a sigh of relief on this one, and then go back to worrying about everything else."

Downgrading protections

Barnett noted that the flaw sounded "eerily similar" to the flaw that Leviev unveiled at the Black Hat and DefCon security conferences last month, but added there was "not obviously any substantial connection between the two." Perhaps, he suggested, Microsoft is simply looking for similar flaws.

Indeed, at the time, Leviev called for increased awareness of downgrade attacks, saying he saw no existing mitigations from Microsoft, though the company issued patches immediately. Leviev also noted that other OS makers should be aware of this style of attack.

"I found several vulnerabilities that I used to develop Windows Downdate — a tool to take over the Windows Update process to craft fully undetectable, invisible, persistent, and irreversible downgrades on critical OS components — that allowed me to elevate privileges and bypass security features," Leviev said in a blog post at the time.

"As a result, I was able to make a fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term “fully patched” meaningless on any Windows machine in the world."