In a busy Patch Tuesday update, Microsoft addressed over 70 security vulnerabilities across various products, including Windows, Office, and Azure. However, the company also acknowledged a critical bug in a Windows 10 version could silently undo previously applied security patches, leaving systems vulnerable to attacks.
“Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015),” the company said in its Patch Tuesday statement.
“This means,” the company added, “that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024—KB5035858 (OS Build 10240.20526) or other updates released until August 2024.”
Microsoft also clarified that all later versions of Windows 10 are unaffected by this vulnerability.
Rated 9.8 out of 10 in severity (CVE-2024-43491), the bug affects devices running Windows 10 version 1507, including Windows 10 Enterprise 2015 LTSB (long-term servicing branch) and Windows 10 IoT Enterprise 2015 LTSB, which are still supported.
The issue stems from a coding error triggered by security updates released between March and August 2024. If such updates were applied on a Windows 10 version 1507 device, subsequent updates or security patches released since March 12th could cause the operating system to revert optional components like Internet Explorer 11, Windows Media Player, and MSMQ server core back to their unpatched versions, leaving them vulnerable.
To resolve this issue, the software major has recommended users install both the September 2024 Servicing Stack Update (KB5043936) and the accompanying Security Update (KB5043083). This process should “prevent further rollbacks” and restore the system’s security.
Users with automatic updates enabled should already have received these fixes, the company said in the statement.
In a similar bug reported last month, Alon Leviev, a security researcher at SafeBreach, unveiled a technique that lets malicious actors manipulate the Windows Update process to downgrade critical system components, rendering security patches useless. Microsoft however, said it is “not aware of any attempts to exploit this vulnerability.”
In Patch Tuesday, Microsoft patched 79 bugs, including several critical ones in SQL Server, Microsoft Office SharePoint, Azure Web Apps, Azure Stack, and Dynamics Business Central.
Windows 11 21H2 and 22H2 users face forced updates next month
Meanwhile, in another release update, Microsoft also issued a reminder that support for Windows 11 versions 21H2 and 22H2 for Home, Pro, Pro Education, and Pro for Workstations editions will end on October 8th, 2024.
“Until then, these editions will only receive security updates. They will not receive non-security, preview updates,” Microsoft said in a statement. “To continue receiving security and non-security updates after October 8, 2024, we recommend that you update to the latest version of Windows.”
The company added that the users with automatic updates enabled will receive an automatic prompt to upgrade to Windows 11 version 23H2, the latest major update, on the upcoming Patch Tuesday. This update is crucial for maintaining security on your device.