Bug Left Some Windows PCs Could Be Deployed Accidentally – Krebs on Security

Microsoft Corp. today released updates to fix at least 79 security vulnerabilities in it Windows operating systems and related software, including many vulnerabilities that arise from active attacks. Microsoft also fixed a critical bug that caused some Windows 10 PCs will remain dangerously unprotected against fully exploited vulnerabilities for several months this year.

The most interesting security vulnerability revealed by Microsoft today has the quick name of CVE-2024-43491, which Microsoft says is a vulnerability that led to the rollback of fixes for certain vulnerabilities that affect “optional components” in some Windows 10 systems produced internally. 2015. That includes Windows 10 systems that have installed the Windows monthly security update released in March 2024, or other updates released through August 2024.

Satnam Narangsenior staff research engineer e It is usablesaid that while the phrase “exploit discovered” in Microsoft’s advisory usually means that the flaw is being exploited by hackers, it appears to be labeled as CVE-2024-43491 because the rollback of the fix reintroduces a vulnerability that was previously known to be exploited.

“To fix this issue, users need to apply both the September 2024 Service Stack Update and the September 2024 Windows Security Updates,” Narang said.

Kev Breenexecutive director of threat research at Focused Labssaid that the root cause of CVE-2024-43491 is that in certain versions of Windows 10, the build version numbers checked by the update service were not handled correctly in the code.

“The notes from Microsoft say ‘the build version numbers fell into the range that caused the code error’,” Breen said. “The short version is that some versions of Windows 10 with optional components enabled are left in a vulnerable state.”

Zero Day #1 this month is CVE-2024-38226, and it concerns the vulnerability Microsoft Publisheran independent application included in some versions of the Microsoft Office. This flaw allows attackers to bypass Microsoft “Web Marker,” a Windows security feature that marks files downloaded from the Internet as potentially unsafe.

Zero Day #2 is CVE-2024-38217, also a Mark of the Web bypass affecting Office. Both zero-day errors depend on the direction of opening the locked Office file.

Security firm Immediately7 notes that CVE-2024-38217 has been publicly disclosed in extensive documentation, with exploit code available on GitHub.

According to Microsoft, CVE-2024-38014, an “elevation of privilege” flaw in Windows Installer, is also being exploited.

June’s Microsoft Patch Tuesday installation was titled “Recall Edition,” because the big news at the time was that Microsoft was facing a barrage of criticism from privacy and security experts over “Remember,” a new artificial intelligence (AI) feature for Redmond’s flagship Copilot+ PCs that constantly takes screenshots of whatever users are doing on their computers.

At the time, Microsoft responded by suggesting that Recall would no longer be enabled by default. But last week, the software giant clarified what it meant was that the ability to disable Recall was a bug/feature in the preview version of Copilot+ that won’t be available to Windows customers going forward. Translation: New versions of Windows ship with a recall deeply embedded in the operating system.

It’s rich that Microsoft, which already collects an absurd amount of information from its customers almost constantly, calls the Recall removal feature a bug, while treating Recall as a desirable feature. Because where I sit, Recall is a feature that no one asked for that turns Windows into a bug (from a variety of viewpoints).

When Redmond first responded to critics about Recall, they noted that Recall snapshots never leave the user’s system, and that even if attackers were able to hack a Copilot+ PC they would not be able to extract data from the Recall device.

But that claim didn’t hold up after Microsoft’s threat analyst Kevin Beaumont detailed in his blog that any user on the system (even a non-administrator) can retrieve the Recall data, which has just been stored in a local SQLite database.

As is appropriate on Microsoft Patch Tuesday, Adobe released updates to fix security vulnerabilities in a variety of products, including. Student again Acrobat, After Effects, Premiere Pro, Graphic artist, ColdFusion, Adobe Auditionagain Photoshop. Adobe says it has no wild exploits for any of the issues discussed in its updates.

Want a more detailed breakdown of the patches released by Microsoft today? See a comprehensive list of the SANS Internet Storm Center. People responsible for managing multiple systems in a business environment would do well to keep an eye on AskWoody.com, which often has a skin for any wonky Windows patches that might cause problems for some users.

As always, if you run into any issues using this month’s patch batch, consider leaving a note in the comments here about it.


Source link