Unbeknownst to Windows 10 users until now, a security vulnerability existed in Windows Setup, the process with runs when installing Feature Updates for the operating system.
The vulnerability (CVE-2020-16908) made it possible for a locally authenticated attacker to run arbitrary code with elevated system privileges. This flaw could be exploited to install software, create new user accounts, or interfere with data.
The vulnerability was found in the way Windows Setup handles directories, and Microsoft says that it affects version 1803, 1809, 1903, 1909 and 2004 of Windows 10. The company assures users that systems are only vulnerable to attack during the process of upgrading to a new Feature Update, and at no other time. Now that Feature Update bundles have been refreshed with the patched Setup binaries, however, the vulnerability “no longer exists”.
Announcing some details of the security flaw now that it has been fixed, Microsoft explains:
This vulnerability only exists in Windows 10 Setup, which runs temporarily any time a customer upgrades from a previous version of Windows 10 to a newer version (for example, from Windows 10 Version 1909 to Windows 10 Version 2004). A device is vulnerable only while upgrading to a newer version of Windows. At any other time, the device is not vulnerable.
Offering advice to anyone using a management tool to update Windows, the company also says:
If you are using WSUS or MEM ConfigMgr or another third-party management tool, please sync the latest feature update bundles and approve those for deployment. If you are using Windows media, as applicable to your system, please download the latest refreshed media from VLSC or Visual Studio Subscriptions (formerly MSDN), or download the latest applicable Setup Dynamic Update (DU) package and patch your existing media.
You can download the latest Setup DU packages from the Microsoft Update Catalog website. Please follow the instructions in the following article to learn about how to apply a Setup DU package to your existing media. Update remaining media files.
The latest Setup DU Packages can be found here:
Is your business effected by Cyber Crime?
If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Contact Digitpol’s hotlines or respond to us online.
Digitpol’s Cyber Crime Investigation Unit provides investigative support to victims of cyber crimes. Digitpol is available 24/7. https://digitpol.com/cybercrime-investigation/
UK +44 20 8089 9944