Microsoft raised an alarm for in-the-wild exploitation of a critical flaw in Windows Update, warning that attackers are rolling back security fixes on certain versions of its flagship operating system.
The Windows flaw, tagged as CVE-2024-43491 and marked as actively exploited, is rated critical and carries a CVSS severity score of 9.8/10.
Microsoft did not provide any information on public exploitation or release IOCs (indicators of compromise) or other data to help defenders hunt for signs of infections. The company said the issue was reported anonymously.
Redmond’s documentation of the bug suggests a downgrade-type attack similar to the ‘Windows Downdate’ issue discussed at this year’s Black Hat conference.
From the Microsoft bulletin:
“Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015).
This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024—KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability.”
Microsoft instructed affected Windows users to install this month’s Servicing stack update (SSU KB5043936) AND the September 2024 Windows security update (KB5043083), in that order.
The Windows Update vulnerability is one of four different zero-days flagged by Microsoft’s security response team as being actively exploited.
These include CVE-2024-38226 (security feature bypass in Microsoft Office Publisher); CVE-2024-38217 (security feature bypass in Windows Mark of the Web; and CVE-2024-38014 (an elevation of privilege vulnerability in Windows Installer).
So far this year, Microsoft has acknowledged 21 zero-day attacks exploiting flaws in the Windows ecosystem.
In all, the September Patch Tuesday rollout provides cover for about 80 security defects in a wide range of products and OS components. Affected products include the Microsoft Office productivity suite, Azure, SQL Server, Windows Admin Center, Remote Desktop Licensing and the Microsoft Streaming Service.
Seven of the 80 bugs are rated critical, Microsoft’s highest severity rating.
Separately, Adobe released patches for at least 28 documented security vulnerabilities in a wide range of products and warned that both Windows and macOS users are exposed to code execution attacks.
The most urgent issue, affecting the widely deployed Acrobat and PDF Reader software, provides cover for two memory corruption vulnerabilities that could be exploited to launch arbitrary code.
The company also pushed out a major Adobe ColdFusion update to fix a critical-severity flaw that exposes businesses to code execution attacks. The flaw, tagged as CVE-2024-41874, carries a CVSS severity score of 9.8/10 and affects all versions of ColdFusion 2023.