Overview
- Description
- Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015). This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024—KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability. This servicing stack vulnerability is addressed by installing the September 2024 Servicing stack update (SSU KB5043936) AND the September 2024 Windows security update (KB5043083), in that order. Note: Windows 10, version 1507 reached the end of support (EOS) on May 9, 2017 for devices running the Pro, Home, Enterprise, Education, and Enterprise IoT editions. Only Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB editions are still under support.
- Source
- secure@microsoft.com
- NVD status
- Analyzed
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
Known exploits
Data from CISA
- Vulnerability name
- Microsoft Windows Update Use-After-Free Vulnerability
- Exploit added on
- Sep 10, 2024
- Exploit action due
- Oct 1, 2024
- Required action
- Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Weaknesses
- nvd@nist.gov
- NVD-CWE-noinfo
- secure@microsoft.com
- CWE-416
Social media
- Hype score
- Not currently trending
CVE-2024-43491 - windows 10 critical vuln in windows update process allows attacker to bypass previous security patches, exposing systems! Affects version 1057 specifically enterprise 2015 LTBS! And IoT enterprise 2015 LTBS! Update accordingly!. https://t.co/ZebFZrn1eM
@zeroday31337
13 Nov 2024
94 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
This Week in Security: Malicious Rollback, WHOIS, and More: It’s time to talk about Microsoft’s patch Tuesday, and the odd vulnerability rollback that happened. CVE-2024-43491 has caught some attention, as it’s a 9.8 on the CVSS scale, is under… https://t.co/K9i13FAlCD #hadtips h
@360TechAdvisors
20 Oct 2024
21 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:x64:*",
"vulnerable": true,
"matchCriteriaId": "85DD5735-7C22-4A98-B404-08FEF44A640F",
"versionEndExcluding": "10.0.10240.20766"
},
{
"criteria": "cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:x86:*",
"vulnerable": true,
"matchCriteriaId": "5EAA032C-3371-4C4C-92CF-B7B5845AD6FF",
"versionEndIncluding": "10.0.10240.20766"
}
],
"operator": "OR"
}
]
}
]