Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Says Windows Update Zero-Day Being Exploited to Undo Security Fixes

Patch Tuesday: Microsoft raises an alarm for in-the-wild exploitation of a critical flaw in Windows Update.

Windows Downgrade Attack

Microsoft on Tuesday raised an alarm for in-the-wild exploitation of a critical flaw in Windows Update, warning that attackers are rolling back security fixes on certain versions of its flagship operating system.

The Windows flaw, tagged as CVE-2024-43491 and marked as actively exploited, is rated critical and carries a CVSS severity score of 9.8/10.

Microsoft did not provide any information on public exploitation or release IOCs (indicators of compromise) or other data to help defenders hunt for signs of infections. The company said the issue was reported anonymously.

Redmond’s documentation of the bug suggests a downgrade-type attack similar to the ‘Windows Downdate’ issue discussed at this year’s Black Hat conference.

From the Microsoft bulletin:

“Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015). 

This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024—KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability.”

Microsoft instructed affected Windows users to install this month’s Servicing stack update (SSU KB5043936) AND the September 2024 Windows security update (KB5043083), in that order.

The Windows Update vulnerability is one of four different zero-days flagged by Microsoft’s security response team as being actively exploited. 

Advertisement. Scroll to continue reading.

These include CVE-2024-38226 (security feature bypass in Microsoft Office Publisher);  CVE-2024-38217 (security feature bypass in Windows Mark of the Web; and  CVE-2024-38014 (an elevation of privilege vulnerability in Windows Installer).

So far this year, Microsoft has acknowledged 21 zero-day attacks exploiting flaws in the Windows ecosystem. 

In all, the September Patch Tuesday rollout provides cover for about 80 security defects in a wide range of products and OS components. Affected products include the Microsoft Office productivity suite, Azure, SQL Server, Windows Admin Center, Remote Desktop Licensing and the Microsoft Streaming Service.

Seven of the 80 bugs are rated critical, Microsoft’s highest severity rating.

Separately,  Adobe released patches for at least 28 documented security vulnerabilities in a wide range of products and warned that both Windows and macOS users are exposed to code execution attacks.

The most urgent issue, affecting the widely deployed Acrobat and PDF Reader software, provides cover for two memory corruption vulnerabilities that could be exploited to launch arbitrary code.

The company also pushed out a major Adobe ColdFusion update to fix a critical-severity flaw that exposes businesses to code execution attacks.  The flaw, tagged as CVE-2024-41874, carries a CVSS severity score of 9.8/10 and affects all versions of ColdFusion 2023.

Related: Windows Update Flaws Allow Undetectable Downgrade Attacks

Related: Microsoft: Six Windows Zero-Days Being Actively Exploited

Related: Zero-Click Exploit Concerns Drive Urgent Patching of Windows TCP/IP Flaw

Related: Adobe Patches Critical, Code Execution Flaws in Multiple Products

Related: Adobe ColdFusion Flaw Exploited in Attacks on US Gov Agency 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.