Bashing Windows Bugs, Take 2: Microsoft Rolls Back Nixed Fixes

The rollback vulnerability only affects Windows 10 Enterprise 2015 LTSB and IoT Enterprise 2015 LTSB editions. LTSB – short for “long-term storage” – is a modified version of Windows intended for use in special environments where the required features and functionality cannot be changed, such as some types of medical systems . – including MRI and CAT scanners – as well as operational technology tools such as industrial process controllers and air traffic control systems.

“These devices share the characteristics of embedded systems: They are often purpose-built and developed, tested and validated before use,” Microsoft said. “They are treated as a whole system and therefore, are often ‘upgraded’ by building and validating a new system, decommissioning an old device, and replacing it with a new, validated one.”

The computer giant is tracking the flaw as CVE-2024-43491. The patch is likely to work on any computer running version 1507 of Windows 10, but Microsoft has stopped supporting other versions of that edition of Windows, such as Home and Enterprise, as of June 2017.

Windows components whose vulnerabilities have been removed include Active Directory Lightweight Directory Services, Internet Explorer 11, Windows Fax and Scan, and Windows Media Player, among others.

“All later versions of Windows 10 are not affected by this vulnerability,” Microsoft said, adding that previous versions of some features were first targeted by attackers.

To fix the vulnerability, affected users need to first install this month’s stack update — SSU KB5043936 — and then this month’s Windows security update — in that order, Microsoft said.

Security firm Rapid7 said that while this vulnerability is not good news, the likelihood of attackers exploiting it appears to be low. “Microsoft recognizes that while at least some of the unpatched vulnerabilities were known to have been exploited, they have not seen a wild exploit for CVE-2024-43491 itself, and the flaw was discovered by Microsoft,” it said. .

“In general, although there are many organizations that are still working on Windows 10 1507, many admins can take a breath on this, and then go back to worrying about everything else,” the company said. said.

Hidden: 3 Days Well Done with Zero

In total, the latest Patch Tuesday patch shipped for 79 vulnerabilities, including three zero days and seven critical vulnerabilities in SharePoint, Windows Network Address Translation and other OS features that attackers I can use them to run code remotely and have full control. vulnerable system.

Here are three zero-day vulnerabilities disclosed on Tuesday by Microsoft, which are still being exploited in the country:

Windows Installer Escalation of Privilege Vulnerability

Microsoft hasn’t explained how this flaw, tracked as CVE-2024-38014, works, other than to say it’s easy to exploit and doesn’t require user interaction. “An attacker who successfully exploited this vulnerability could gain ‘system’ privileges,” it said. By default, that would give them full access to any file stored on the system. Microsoft has also included this vulnerability in Windows 11, version 24H2, which is not scheduled to be released to general availability until later this year, but which has already been installed in the new Copilot+ tools. “Customers with these devices need to be aware of any vulnerabilities affecting their devices and install updates if they are not receiving automatic updates,” it said.

Windows Mark of the Web Security Feature Bypass Vulnerability

Joe Desimone of Elastic Security Labs discovered and reported this vulnerability, CVE-2024-38217, to Microsoft. In the blog post of Aug. 6, said the vulnerability is related to the way Windows handles it .lnk files, which attackers can use to bypass Windows Smart App Control and SmartScreen, which are designed to block malicious files and apps.

He named the vulnerability “LNK stomping” and said, “We’ve found several examples on VirusTotal that show the bug, that shows the exploit in the wild,” which includes malicious files designed for exploits. The oldest sample file created to exploit the bug dates from February 2018, meaning “this has been abused for a very long time,” Rapid7 said.

Microsoft Publisher Security Features Bypass Vulnerability

An attacker exploiting the vulnerability caused by CVE-2024-38226 could bypass Microsoft Office security measures designed to “override Office macro policies used to block untrusted or malicious files,” Microsoft said.

“An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file on a website that could lead to a local attack on the victim’s computer,” it said so.

Microsoft said the attack cannot be launched automatically from the Windows preview pane and has given the vulnerable a CVSS rating of 7.3, or “critical,” because it requires social engineering.

Modifications from Ivanti and Adobe

Adobe on Tuesday released its batch of patches for the month, which addresses 28 vulnerabilities in different products. The updates include Adobe’s Photoshop, Illustrator, Premiere Pro, After Effects, Acrobat Reader, Audition, Media Encoder and ColdFusion software. The seller said that he is not aware of the practical use of any errors.

Also on Tuesday, Ivanti said it has hidden flaws in its Endpoint Manager – aka EPM – 2024 and 2022 SU6, including vulnerabilities that attackers could use to gain unauthorized access to the primary server of EPM. The company has also sent updates to address six critical vulnerabilities in Ivanti Workspace Control.

Ivanti also identified one critical vulnerability in its Cloud Service Appliance version 4.6. That version of CSA is at the end of life, it shouldn’t have been patched after August and probably won’t get a security update again.

“Customers must upgrade to Ivanti CSA 5.0 for continued support,” the vendor said. “CSA 5.0 is the only supported version and does not contain this vulnerability. Customers already using Ivanti CSA 5.0 do not need to take any action.”

“We have no evidence that this vulnerability is being exploited in the country,” Ivanti said.

The company said that many of the vulnerabilities were discovered due to increased levels of internal code review. “In recent months, we have strengthened our internal audit capabilities, manuals and tests, and improved our reporting process so that we can quickly find and resolve issues. may exist,” said. “This has led to an increase in discovery and disclosure, and we agree with CISA’s statement that responsible discovery and disclosure of CVEs is a ‘sign of healthy code review and community of analysis.”