Windows Update Zero-Day Being Exploited To Undo Security Fixes (securityweek.com) 35
wiredmikey shares a report from SecurityWeek: Microsoft on Tuesday raised an alarm for in-the-wild exploitation of a critical flaw in Windows Update, warning that attackers are rolling back security fixes on certain versions of its flagship operating system. The Windows flaw, tagged as CVE-2024-43491 and marked as actively exploited, is rated critical and carries a CVSS severity score of 9.8/10. Redmond's documentation of the bug suggests a downgrade-type attack similar to the 'Windows Downdate' issue discussed at this year's Black Hat conference. Microsoft's bulletin reads: "Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015). This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024 -- KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability."
To protect against this exploit, Microsoft says Windows users should install this month's Servicing stack update (SSU KB5043936) and the September 2024 Windows security update (KB5043083), in that order.
To protect against this exploit, Microsoft says Windows users should install this month's Servicing stack update (SSU KB5043936) and the September 2024 Windows security update (KB5043083), in that order.
Re: (Score:1)
> Thanks Nadella.
And Gates and Ballmer. The Swiss Cheese is a group effort.
It's like diarrhea, it runs in the family.
Re: (Score:1)
As far as I'm concerned....
Well, aren't you just special. Bless your heart.
Re: (Score:1)
Ahhh, thank you so much AC.
Re: (Score:2)
Truth? With no references? The GP is just pissing into the wind.
Re: (Score:3, Informative)
Yes, looks like it. This stuff is getting worse and worse, relative to attacker capabilities. MS really does not have what it takes on the engineering side.
Re: (Score:3)
This means that an attacker could exploit these previously mitigated vulnerabilities ... updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability.
So about 2 weeks ago is still vulnerable, and will roll back 9 years of updates.
Re: (Score:2)
The Pro, Home, Enterprise, Education, and Enterprise IoT versions of Windows 10 that this vulnerability affects went End-of-Support 7 years ago. Very, very few people will still be running it.
Now, Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB editions are still under extended support for 1 more year, but I assume there are now a relatively tiny number of users - and there have been several new LTSB releases since then that users could have moved to.
We have several Windows 10 LTSB m
Re: (Score:2)
No, the versions you listed are immune (they'd be reverted to themselves). Updated systems are all vulnerable to being rolled back to the versions you listed, unless they received this month's update.
Re: (Score:2)
Re: (Score:2)
My reading is that the last vulnerable one is this: "March 12, 2024 -- KB5035858 (OS Build 10240.20526)"
Re: (Score:2)
Right. Major version 10240 is the original 2015 RTM branch of Windows 10. No other major release versions are affected. It says so right in the CVS.
As an example; the final major version of Windows 10 is 19045. It is unaffected, as are all intermediate major versions.
The only active releases still using the 10240 branch are Enterprise 2015 LTSB and IoT Enterprise 2015 LTSB.
So, this bug affects very few people - and it's likely the ones it does affect are corporate customers with embedded systems that are go
Re: (Score:2)
Oh, I see. Microsoft is a bit weird with their OS names/versioning.
I was just confused by his comparison of something that had an update last month to something that had an update a decade ago.
OLD (Score:3)
Re: (Score:2)
Haha looks like I'm still on build 1809 LTSC. Can't complain as its supposed to get updates until 2029.
Must be patch Tuesday. (Score:2)
Re: (Score:3)
Linux on the desktop is mostly small annoyances for me.
I installed Salix because it's based on Slackware. It installed cleanly and then did I did an update. So then I wanted to install Nvidia drivers to get hardware video decoding. The drivers want kernel sources, no problem install them from a repo. But it turns out the kernel sources had updated but my kernel itself did not. So the drivers failed to install because of the version mismatch. Finally get that fixed and then want to try out KDE. It installs f
Re: (Score:2)
Using Nvidia video cards in any Linux environment with Nvidia proprietary (not open source) drivers is like playing Russian Roulette with a half-loaded revolver.
You might get screwed up in the experience or you might get another "new & improved" chance to screw yourself up.
You should take Linus' advice regarding Ngreedia video cards on Linux - F**K THEM
Re: (Score:2)
Bleeding edge gives you cuts regardless of OS.
Re: (Score:2)
And yet somehow I have been using NVidia cards with the proprietary driver on Linux for what feels like two decades. One caveat is to know that the hardware you buy is already matured in their driver blob. Bleeding edge gives you cuts regardless of OS.
Very True
Re:I love being Windows Free(tm) (Score:5, Insightful)
Re: (Score:2)
He managed to overcome the problems, he is not a novice user. He just likes to b!tch. To advanced users most Linux distros offer reliability, stability, customizability and a community willing to help with any troubles. Things that IMHO are essential to advanced users, and which Microsoft doesn't offer. For average users who just wants to browse the Web, listen to music, play games etc. Windows is still a viable choice, but so are a few Linux distros that cater to these users and strive to offer an user exp
Re: I love being Windows Free(tm) (Score:2)
Your last sentence really caught my eye. Reminded me of ⦠me:
âoeWell enough that the next time Microsoft pisses me off I will make the switch permanently on my primary machine as well.â
Iâ(TM)ve been saying that for years, but never made the jump. Kind of like putting-up with an abusive partner: hoping against hope that theyâ(TM)ll mend their ways. If they just changed a little bit they could be so good !
When Apple releases the M4 MacBook Pro Iâ(TM)m going to grab that and
Goog old MicroCrap, always messing it up (Score:2, Insightful)
At least some things in this world are reliable.
Why does anyone care about this? (Score:3)
ZOMG! Zero-day exploit, in the first release of Windows 10.
Who on earth is still on that version of 10?
Re: (Score:2)
ZOMG! Zero-day exploit, in the first release of Windows 10.
Who on earth is still on that version of 10?
You never know. You may have an ID ten tee user error going on. You might have some honeypot machines looking to see whom they can trap, or maybe a testing lab that does regression testing. There are several reasons... some legitimate, some not. I've worked with systems in the past that had to use the original installation with no updates... as idiotic as I thought it was. It was some kind of "business decision" and like it or not, I did not have the authority to update the machines.