In its latest cumulative update on Patch Tuesday, Microsoft confirmed an embarrassing bug that broke older security patches installed on Windows 10 devices.
The bug is known as CVE-2024-43491 and affects Windows 10 version 1507 (an older version that still supports Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015). It has a near-maximum severity score of 9.8.
This is a rather strange vulnerability, caused by the way people install old security patches. If a user installs a security update released between March and August 2024 and then applies an update released since March 12, the operating system will roll back the updated software to its base Release To Manufacturing (RTM) version. In this way, the operating system basically reintroduces all the security vulnerabilities patched in the meantime.
Problems with Tuesday's patch
Microsoft said the following components are affected:
.NET Framework 4.6 Advanced Services ASP.NET 4.6
Active Directory Lightweight Directory Services
Administrative tools
Internet Explorer 11
Internet Information ServicesWorld Wide Web Services
LPD printing service
Microsoft Message Queue (MSMQ) Server Core
MSMQ HTTP Support
Multipoint connector
SMB 1.0/CIFS file sharing support
Windows Fax and Scan
Windows Media Player
Work Folder Client
XPS Viewer
Since all the bugs have been fixed in the past, Microsoft considers this new bug to be “exploited in the wild.”
“Starting with the Windows security update released on March 12, 2024, KB5035858 (OS Build 10240.20526), build version numbers crossed a range that triggered a code defect in the Windows 10 (version 1507) servicing stack that handles optional component applicability,” Microsoft explains.
“As a result, any optional components that were serviced with updates released on or after March 12, 2024 (KB5035858) were detected as 'not applicable' by the servicing stack and were rolled back to their RTM version.”
If a user installed a previous security update, the rollback is now in effect and they must install the September 2024 Servicing Stack Update and Security Update for Windows 10 to fix the issue.
Through The Registry
