A flaw targeting Windows Update could rollback versions of the operating system so it's easier to attack, according to Microsoft.
Microsoft revealed the critical vulnerability in its September "Patch Tuesday" update, but it's a similar style of attack spotted by a researcher last month.
In August, SafeBreach security researcher Alon Leviev revealed a "downgrade" attack. Leviev was able to rollback Windows to a previous state, leaving it vulnerable to an exploit that had since been patched.
The flaw would allow attackers to undo patches on that version of the OS, leaving computers unprotected for known vulnerabilities Internet Explorer 11, Windows Media Player, and more — making it easier for hackers to attack.
Microsoft said that this specific flaw has not been seen in use in the wild, meaning it was patched before hackers managed to make use of the vulnerability.
"This specific vulnerability impacted the Windows update system in a way that security patches for some components were rolled back to a vulnerable state and will have remained in a vulnerable state since March 2024," Kevin Breen, Senior Director Threat Research at Immersive Labs, said to Help Net Security.
"Some of these components were known to be exploited in the wild in the past, meaning attackers could still exploit them despite Windows update saying it is fully patched," Breen added.
What you need to know about the Windows 10 flaw
Thankfully, this vulnerability only appears to impact specific versions of Windows 10 — so if you've upgraded to Windows 11, this doesn't affect you or your users. The impacted versions of Windows 10 (version 1507) reached end of life in 2017, though there are enterprise editions that are still supported, Microsoft noted.
"Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015)," the company said in a statement
"This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10… systems that have installed the Windows security update released on March 12, 2024 (KB5035858 OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability."
To fix the servicing stack flaw in affected versions of Windows 10, admins or users simply need to install the September 2024 Servicing stack update followed by the September 2024 Windows security update. Microsoft notes the updates must be run in that order.
Adam Barnett, lead software engineer at Rapid7, added that the flaw has a high severity rating, but stressed that only limited versions of Windows were impacted.
"Also, Microsoft notes that while at least some of the accidentally unpatched vulnerabilities were known to be exploited, they haven’t seen in-the-wild exploitation of [the flaw] itself, and the defect was discovered by Microsoft," he said.
"All in all, while there are certainly more than a few organisations out there still running Windows 10 1507, most admins can breathe a sigh of relief on this one, and then go back to worrying about everything else."
Downgrading protections
Barnett noted that the flaw sounded "eerily similar" to the flaw that Leviev unveiled at the Black Hat and DefCon security conferences last month, but added there was "not obviously any substantial connection between the two." Perhaps, he suggested, Microsoft is simply looking for similar flaws.
Indeed, at the time, Leviev called for increased awareness of downgrade attacks, saying he saw no existing mitigations from Microsoft, though the company issued patches immediately. Leviev also noted that other OS makers should be aware of this style of attack.
"I found several vulnerabilities that I used to develop Windows Downdate — a tool to take over the Windows Update process to craft fully undetectable, invisible, persistent, and irreversible downgrades on critical OS components — that allowed me to elevate privileges and bypass security features," Leviev said in a blog post at the time.
"As a result, I was able to make a fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term “fully patched” meaningless on any Windows machine in the world."
-
Cyber researchers have already identified several big security vulnerabilities on OpenAI’s Atlas browserNews Security researchers have uncovered a Cross-Site Request Forgery (CSRF) attack and a prompt injection technique
-
Amazon is cutting 14,000 roles in a bid to ‘operate like the world's largest startup’News The layoffs at Amazon mark the latest in a string of cuts in recent years
-
Microsoft 365 price hikes have landed the tech giant in hot waterNews Australian regulators have filed a lawsuit against Microsoft for allegedly misleading users over Microsoft 365 pricing changes.
-
Microsoft issues fix for Windows 11 update that bricked mouse and keyboard controls in recovery environment – here's what you need to knowNews Yet another Windows 11 update has caused chaos for users
-
Windows 10 end of life could create a major e-waste problemNews The study marks the latest Windows 10 end of life e-waste warning
-
Microsoft Office 2016 and 2019 are heading for the scrapheap next month – but there could be a lifeline for those unable to upgradeNews The tech giant has urged Office 2016 and Office 2019 users to upgrade before the deadline passes
-
UK government programmers trialed AI coding assistants from Microsoft, GitHub, and Google – here's what they foundNews Developers participating in a trial of AI coding tools from Google, Microsoft, and GitHub reported big time savings, with 58% saying they now couldn't work without them.
-
Salesforce says ‘Microsoft’s anticompetitive tying of Teams' harmed business in triumphant response to EU concessions agreementNews Microsoft has agreed to make versions of its Office solutions suite available without Teams – and at a reduced price
-
US Senator calls for Microsoft FTC probe over ‘gross cybersecurity negligence’ – Ron Wyden claims the tech giant has provided ‘dangerous, insecure software’ to the US governmentNews Ron Wyden, a Democratic senator from Oregon, has written to the chair of the FTC calling for an investigation into Microsoft's cyber practices.
-
Microsoft touts new Copilot features in Excel, but says you shouldn’t use them if you want accurate resultsNews Microsoft has warned against using new AI features in Excel for “tasks with legal, regulatory, or compliance implications” – so when can you use it?
