October 14, 2019 | 10:58
Microsoft has released a manual patch for its Windows 10 Update Assistant utility, earlier versions of which suffered from a local privilege escalation (LPE) vulnerability - but the researcher who discovered it says the flaw is not 'practical' to exploit.
The Windows 10 Update Assistant is, as its name suggests, a tool for Windows users which aims to make it easier to upgrade to the latest feature releases of Windows 10 - including, when available, the Windows 10 November 2019 Update. The tool also runs in the background, checking to see if the user is on the latest feature release and, if not, prompting for the newest build to be downloaded and installed.
A flaw in earlier versions of the tool, however, has left users at risk of a local privilege escalation (LPE) attack - a class of vulnerability which allows software supposedly running under the user's privilege level or lower to elevate its privilege to the 'SYSTEM' level - giving it complete control over the system.
The good news: Microsoft is aware of the issue, and has released a patch which resolves the vulnerability. The bad news: The patch needs to be downloaded and installed manually, and will not be distributed automatically through Windows Update.
Speaking to Bleeping Computer, security researcher Jimmy Bayne explained that the flaw is not as severe as it first seems: 'The WUA finding is not what I would consider a very practical LPE [local privilege escalation attack]. Elevation can be achieved by hijacking a component of the update process, which allows an attacker to execute a payload as SYSTEM. It is a very opportunistic situation that has to occur during the update process. So the previous release of WUA for Win 10 1903 is vulnerable, but it does not mean that Windows machines updated with the previous version of WUA have a persistent vulnerability.'
Those who would like to patch the flaw nevertheless are advised to either manually uninstall the Windows 10 Update Assistant from the Apps & Features menu or the download and install the newest version over the top.
May 14 2021 | 18:40