Microsoft recently made public a critical zero-day vulnerability that not only exposed systems to old flaws but also rolled back previous patches for Windows 10. This zero-day vulnerability, known as CVE-2024-43491, was highlighted during September’s Patch Tuesday, with a CVSS rating of 9.8, making it a significant threat. The exploitation of this vulnerability does not require any user interaction and allows for remote code execution. The Windows product team at Microsoft was credited with the discovery of this critical flaw, which affects the servicing stack component of the Windows operating system.
In a security advisory released by Microsoft, it was revealed that CVE-2024-43491 has been labeled as “exploited” and has the potential to roll back fixes for older vulnerabilities affecting optional components in Windows 10 systems. Despite the severity of this vulnerability, Microsoft mentioned that they have not observed any exploitation of CVE-2024-43491 in the wild, leading to some confusion among users. However, the company cautioned that attackers could exploit known Windows 10 vulnerabilities that were patched between March and August, some of which had previously been exploited in the wild.
Addressing the confusion surrounding CVE-2024-43491, vulnerability management vendor Tenable provided an explanation in a blog post. Tenable clarified that while the vulnerability has been labeled as exploited in-the-wild, Microsoft has not detected direct exploitation of CVE-2024-43491, but rather through observed rollbacks of related Optional Components for Windows 10. This prompted Microsoft to classify the exploitability index assessment for this vulnerability as ‘Exploitation Detected.’
Satnam Narang, a senior staff research engineer at Tenable, highlighted the danger posed by the servicing stack vulnerability, leaving organizations vulnerable to previously patched flaws until the recent release. He emphasized the importance of organizations applying both the servicing stack update and Windows security updates promptly to mitigate the risk of exploitation by cybercriminals, including ransomware groups.
It remains unclear when the Windows product team became aware of CVE-2024-43491 and whether any Windows 10 users have been affected by the rollbacks caused by this vulnerability. Microsoft has been contacted for comment, but has not provided direct answers to these questions.
To address CVE-2024-43491, Microsoft advised users to install the September 2024 servicing stack update, particularly for Windows 10 version 1507, which reached end of support in 2017 for certain editions. Additionally, customers were warned that there is no way to prevent previously mitigated vulnerabilities from rolling back, except by applying the servicing stack update.
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-43491 to its Known Exploited Vulnerabilities catalog, mandating federal agencies to address the vulnerability by October 1st. This highlights the urgency of addressing this critical zero-day vulnerability to ensure the security of Windows 10 systems.