Microsoft Says Windows Update Zero-Day Being Exploited to Undo Security Fixes
Microsoft warns of a critical vulnerability, CVE-2024-43491, in Windows 10, version 1507, exploited to reverse security fixes. Users should install specific updates. Adobe also issued patches for critical flaws.
Read original article
Microsoft has issued a warning regarding a critical vulnerability in Windows Update, identified as CVE-2024-43491, which is currently being exploited by attackers to reverse security fixes on certain Windows 10 versions. This flaw has a CVSS severity score of 9.8/10 and affects Windows 10, version 1507, allowing attackers to exploit previously mitigated vulnerabilities. Microsoft has not disclosed specific details about public exploitation or provided indicators of compromise. Users of the affected systems are advised to install the latest Servicing Stack Update (SSU) and the September 2024 Windows security update in a specified order. This vulnerability is one of four zero-days actively exploited, with Microsoft acknowledging a total of 21 zero-day attacks in 2024. The September Patch Tuesday rollout addresses approximately 80 security defects across various Microsoft products, with seven rated critical. Additionally, Adobe has released patches for 28 vulnerabilities in its products, including critical flaws in Acrobat and ColdFusion, which could lead to code execution attacks.
- Microsoft warns of a critical Windows Update vulnerability being exploited to undo security fixes.
- The flaw, CVE-2024-43491, affects Windows 10, version 1507, with a CVSS score of 9.8/10.
- Users are instructed to install specific updates to mitigate the vulnerability.
- Microsoft has acknowledged 21 zero-day attacks in 2024, with the September Patch Tuesday addressing 80 security defects.
- Adobe also released patches for critical vulnerabilities in its products, including Acrobat and ColdFusion.
Related
Windows: Insecure by Design
The article discusses ongoing security issues with Microsoft Windows, including recent vulnerabilities exploited by a Chinese hacking group, criticism of continuous patch releases, concerns about privacy invasion with Recall feature, and frustrations with Windows 11 practices. It advocates for considering more secure alternatives like Linux.
Zero-click Windows TCP/IP RCE impacts all systems with IPv6 enabled, patch now
Microsoft warns of a critical TCP/IP vulnerability (CVE-2024-38063) affecting all IPv6-enabled Windows systems, allowing remote code execution. Users should prioritize patching to mitigate risks, as the exploit is wormable.
Chrome update fixes 38 security issues, including active vulnerability
Google released a Chrome update addressing 38 vulnerabilities, including a critical 0-day exploit (CVE-2024-7971). Users are urged to update immediately to mitigate risks across all platforms.
Google tags a tenth Chrome zero-day as exploited this year
Google patched its tenth zero-day vulnerability in Chrome for 2024, allowing remote exploitation via crafted HTML. Users should update their browsers to the latest version for protection.
About that Windows Installer 'make me admin' security hole. How it's exploited
Microsoft patched a critical Windows Installer vulnerability, CVE-2024-38014, allowing privilege escalation. SEC Consult released a tool to identify vulnerable files, urging users to apply the patch promptly.
1 commentsRelated
Windows: Insecure by Design
The article discusses ongoing security issues with Microsoft Windows, including recent vulnerabilities exploited by a Chinese hacking group, criticism of continuous patch releases, concerns about privacy invasion with Recall feature, and frustrations with Windows 11 practices. It advocates for considering more secure alternatives like Linux.
Zero-click Windows TCP/IP RCE impacts all systems with IPv6 enabled, patch now
Microsoft warns of a critical TCP/IP vulnerability (CVE-2024-38063) affecting all IPv6-enabled Windows systems, allowing remote code execution. Users should prioritize patching to mitigate risks, as the exploit is wormable.
Chrome update fixes 38 security issues, including active vulnerability
Google released a Chrome update addressing 38 vulnerabilities, including a critical 0-day exploit (CVE-2024-7971). Users are urged to update immediately to mitigate risks across all platforms.
Google tags a tenth Chrome zero-day as exploited this year
Google patched its tenth zero-day vulnerability in Chrome for 2024, allowing remote exploitation via crafted HTML. Users should update their browsers to the latest version for protection.
About that Windows Installer 'make me admin' security hole. How it's exploited
Microsoft patched a critical Windows Installer vulnerability, CVE-2024-38014, allowing privilege escalation. SEC Consult released a tool to identify vulnerable files, urging users to apply the patch promptly.