Another Patch Tuesday with the unpleasant news of a bug fix. Microsoft has released fixes for more than 70 flaws affecting various components of its products such as Windows, Office, Mark of the Web, Azure, Dynamics Business Central, SQL Server, Hyper-V, and Remote Desktop Licensing Service.
Exploits for three of them are already circulating on the internet. We list them in descending order of severity:
CVE-2024-38014 – A CVSS Severity 7.8-out-of-10 issue in CVSS that allows privilege escalation in the Windows Installer that could give full SYSTEM privileges. Discovered by SEC Consult Vulnerability Lab.
CVE-2024-38226 – A CVSS 7.4 security bypass hole in Publisher 2016, Office 2019, and 2021. This requires the victim to open a compromised file, but once this is done, the attacker can bypass Office macro defenses.
CVE-2024-38217 – A CVSS 5.4 issue that allows an attacker to bypass Microsoft's Mark of the Web software recognition engine.
Then there is the CVE-2024-43491, a bug that only affects Windows 1507 version 10 that was first released in July 2015.
Although this version is deprecated as of 2017 for Pro, Home, Enterprise, Education, and Enterprise IoT editions, Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 are still supported.
This bug has a CVSS severity rating of 9,8 out of 10, as from what we can tell, it causes the operating system to silently roll back previously applied updates and security patches for some optional components, leaving them open to attack.
What elements?
- .NET Framework 4.6 Advanced Services \ ASP.NET 4.6
- Active Directory Lightweight Directory Services
- administrative Tools
- Internet Explorer 11
- Internet Information Services\World Wide Web Services
- LPD Print Service
- Microsoft Message Queue (MSMQ) Server Core
- MSMQ HTTP Support
- MultiPoint Connector
- SMB 1.0/CIFS File Sharing Support
- Windows Fax and Scan
- Windows Media Player
- Work Folders Client
- XPS Viewer
This is due to a programming error caused by security updates released between March and August 2024.
It appears that if you install a security update released these two months on Windows 10 version 1507, the operating system gets confused and rolls the updated software back to the base RTM, leaving your PC unprotected.
Microsoft he says:
"Starting with the Windows security update released on March 12, 2024 – KB5035858, build version numbers were crossed which caused a flaw in the servicing stack of Windows 10 (version 1507) that handles the implementation of optional components."
"As a result, any optional component serviced with updates released since March 12, 2024 (KB5035858) was detected as 'not applicable' by the servicing stack and reverted to the RTM release."
So this means that if you install, for example, the March 2024 update, your operating system has already rolled back previously applied fixes.
The company says:
“If you have installed any of the previous security updates released between March and August 2024, they have already been removed. To roll back these patches, customers must install the Windows 2024 September 10 Servicing Stack Update and Security Update.”
They're human, that's okay