In its latest Patch Tuesday cumulative update, Microsoft has confirmed an embarassing bug which broke older security patches installed on Windows 10 devices.
The bug is tracked as CVE-2024- 43491, and affects Windows 10 version 1507 – an older version still supported for Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015. It carries an almost maximum severity score – 9.8.
It is a rather strange vulnerability, caused by the way people install older security patches. If a user installs a security update released between March and August 2024, and then applies an update released since March 12, the OS will revert the updated software back to its base Release To Manufacturing (RTM) version. That way, the OS is basically reintroducing all of the security vulnerabilities patched in the meantime.
Patch Tuesday issues
Microsoft said that the following components are affected:
.NET Framework 4.6 Advanced Services \ ASP.NET 4.6 Active Directory Lightweight Directory Services Administrative ToolsInternet Explorer 11 Internet Information Services\World Wide Web Services LPD Print Service Microsoft Message Queue (MSMQ) Server Core MSMQ HTTP Support MultiPoint Connector SMB 1.0/CIFS File Sharing Support Windows Fax and Scan Windows Media Player Work Folders Client XPS Viewer
Since all of the bugs were patched in the past, Microsoft is considering this newest snafu as “exploited in the wild.”
“Starting with the Windows security update released March 12, 2024 – KB5035858 (OS Build 10240.20526), the build version numbers crossed into a range that triggered a code defect in the Windows 10 (version 1507) servicing stack that handles the applicability of optional components,” Microsoft explains.
“As a result, any optional component that was serviced with updates released since March 12, 2024 (KB5035858) was detected as ‘not applicable’ by the servicing stack and was reverted to its RTM version.”
If a user installed a previous security update, the rollback is already in effect, and they should install the September 2024 Servicing Stack Update and Security Update for Windows 10 to address the issue.
Via The Register
More from TechRadar Pro