A vulnerability to Update Assistant of Windows 10 enables malicious users to run code with SYSTEM privileges.
The elevation of privilege is documented in CVE-2019-1378, where Microsoft explains that an attacker can create a account with full user rights, eventually gaining access to install malware to take control of the device.
"There is a privilege vulnerability in Windows 10 Update Assistant in the way it manages permissions", says Microsoft.
“A locally certified intruder could run malicious code with increased system privileges. After successfully exploiting the vulnerability, the attacker could install programs, view, change, or delete data, create new accounts with full user rights. "
The bug was discovered and reported to Microsoft by Jimmy Bayne and is available in Windows 10 Update Assistant regardless of the version of Windows 10 you have installed.
As mentioned in Bleepingcomputer, some computers start running Windows 10 Update Assistant after the KB4023814 update is installed. However, this update is only for devices running Windows 10 in the 1803 version (April 2018 Update) or something newer and is supposed to prepare the "soil" for it upgrade on Windows 10 version 1903 (May 2019 Update).
On the other hand, devices running Update Assistant on Windows 10 on the 1903 version are also vulnerable to attacks if the update was installed manually.
Microsoft has already released a new version of Update Assistant to resolve the vulnerability and recommends all users to install it as soon as possible. The only way to fix the bug is to manually install this new version, at least until the patch is included in some bug fixes. Of course you should uninstall the older version:
Microsoft says that the flaw has not been publicly disclosed, so there is no release (yet). exploit. Either way, you should update your system.
