CVE CyberSecurity Database News

CVE-2024-43491 - How a Servicing Stack Bug Reopened Old Security Holes on Windows 10 Version 1507

Poster -

*Published: June 2024*


Microsoft recently reported a new vulnerability, CVE-2024-43491, that impacts some Windows 10 systems in a unique way. This flaw doesn’t exist in the most recent Windows releases—just in some years-old, but still supported, editions. Let’s break down what happened, how attackers could abuse it, and how to fix it.

What is CVE-2024-43491?

CVE-2024-43491 is a servicing stack vulnerability in Windows 10, version 1507 (the initial version from July 2015). The issue is not that a new flaw was introduced—but rather, the latest monthly security updates accidentally rolled back some previous patch protections. Because of this slip-up, old vulnerabilities that should have been fixed can be exploited again—like reopening an old, locked door.

Windows 10 IoT Enterprise 2015 LTSB

Any machines with security updates installed from March 12, 2024 (KB5035858, OS Build 10240.20526) up through updates released before September 2024 are at risk.

Note: All other Windows 10 editions (Home, Pro, etc.), and all newer Windows 10 versions, are NOT affected.

How Did This Happen?

The “servicing stack” is a vital part of Windows update infrastructure. A bug introduced in recent Servicing Stack Updates (SSUs) meant certain critical fixes related to “Optional Components” were accidentally reverted. These vulnerabilities had already been patched—but now, on affected machines, attackers could exploit them again.

What’s worse: The affected Windows 10, version 1507, is out of support for most users, but still on extended servicing for LTSB/IoT LTSB devices—like Kiosks, ATMs, or other long-lived hardware.

How Could an Attacker Exploit This?

Since the impact reopens previously patched flaws, many attack methods become possible. The specifics depend on the original vulnerabilities, but here’s a typical scenario related to Optional Components:

1. Attacker gains low-level access (maybe local user access or remote code execution via another chain).
2. They use now-exposed flaws (in Optional Components like legacy networking, SMBv1, or multimedia frameworks) to escalate privileges, access protected data, or move laterally inside the environment.
3. The system’s logs and update status report as “fully patched”—so regular admins miss the gap.

Example Attack Code

Here’s a proof-of-concept (PoC) to exploit a hypothetical old DLL vulnerability (assuming it’s now active again):

import ctypes

# Hypothetical vulnerable DLL was reintroduced
vuln_dll = ctypes.windll.LoadLibrary("vuln_optional_comp.dll")

# Misuse an old exported function to get SYSTEM privileges
vuln_func = vuln_dll.ElevateToSystem
result = vuln_func()

if result == :
    print("Privilege escalated to SYSTEM! System compromised.")
else:
    print("Exploit failed.")

Note: The above code is a simplified stand-in; real-world exploits would be tailored for specific components and likely require custom shellcode or in-depth knowledge of the rolled-back flaw.

September 2024 Servicing Stack Update:

SSU KB5043936

September 2024 Windows Security Update:

KB5043083

Important: You must install the SSU update before applying the security update, or the fixes may not “stick.”

Download and install SSU KB5043936

Download link from Microsoft Update Catalog

Download and install KB5043083

Download link from Microsoft Update Catalog

Restart your device again to finish patching

Check your build number and update history to verify successful installation.

Microsoft’s Official References

- Microsoft Security Advisory for CVE-2024-43491
- KB5035858 Security Update Release Notes
- SSU and Cumulative Update Deployment Info

If you run Windows 10 Enterprise 2015 LTSB or IoT Enterprise 2015 LTSB, patch immediately.

- This vulnerability only matters to organizations with old LTSB installs. If that’s you, this is serious.
- Schedule regular checks for SSU and cumulative updates to avoid “hidden regressions” like this one.
- Most regular Windows 10 users are not affected—only those with machines dating back to 2015 still under special support.

Stay safe, and keep your systems updated—with Servicing Stacks first!

*This post is for educational awareness. Exploit code is illustrative and should not be used for unauthorized access. Always patch promptly and monitor for updates from vendors.*

Timeline

Published on: 09/10/2024 17:15:36 UTC
Last modified on: 09/14/2024 02:03:46 UTC