In the latest cumulative Patch Tuesday update, Microsoft has confirmed a nasty bug that was preventing older security patches from working on Windows 10 devices.
The bug is tracked as CVE-2024-43491 and affects Windows 10 version 1507, an older version that is still supported for Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015. Its severity is near maximum: 9.8.
It’s a rather strange vulnerability, caused by the way people install older security patches. If a user installs a security update released between March and August 2024, and then applies an update released since March 12, the operating system will revert the updated software to the Release To Manufacturing (RTM) base version. In doing so, the operating system essentially reintroduces all the security vulnerabilities that were patched in the meantime.
Patch Tuesday Issues
According to Microsoft, the following components are affected:
.NET Framework 4.6 Advanced Services ASP.NET 4.6
Active Directory Lightweight Directory Services
Administrative tools
Internet Explorer 11
Internet Information ServicesWorld Wide Web Services
LPD printing service
Microsoft Message Queue (MSMQ) Server Core
MSMQ HTTP Support
MultiPoint connector
Support for SMB 1.0/CIFS file sharing
Windows Fax and Scan
Windows Media Player
Workbooks Client
XPS viewer
Since all bugs have been patched in the past, Microsoft considers this latest flaw as “exploited in the wild.”
“Starting with the March 12, 2024, Windows security update — KB5035858 (OS Build 10240.20526) — the build version numbers exceeded a range that caused a code defect in the Windows 10 (version 1507) servicing stack that handles the applicability of optional components,” Microsoft explained.
“As a result, any optional component serviced with updates released since March 12, 2024 (KB5035858) was detected as ‘not applicable’ by the servicing stack and downgraded to the RTM version.”
If a user has installed a previous security update, the rollback is already in effect and the user should install the September 2024 Windows 10 Servicing Stack Update and Security Update to resolve the issue.
Via The register