14 DAY TRIAL // A security vulnerability in Microsoft’s Windows 10 Update Assistant makes it possible for an attacker to execute code with SYSTEM privileges.
The elevation of privilege flaw is documented in CVE-2019-1378, with Microsoft explaining that an attacker can end up being able to create an account with full user rights, eventually obtaining access to drop additional payloads and take control of the device.
“An elevation of privilege vulnerability exists in Windows 10 Update Assistant in the way it handles permissions,” Microsoft says.
“A locally authenticated attacker could run arbitrary code with elevated system privileges. After successfully exploiting the vulnerability, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
The flaw was discovered and reported to Microsoft by Jimmy Bayne and exists in the Windows 10 Update Assistant regardless of the version of Windows 10 where it is installed.
New version of Windows 10 Update Assistant
As noted by BP, some computers end up running the Windows 10 Update Assistant after installing update KB4023814. However, this update is only aimed at devices running Windows 10 version 1803 (April 2018 Update) and newer, and it is specifically supposed to prepare the upgrade to Windows 10 version 1903 (May 2019 Update).
On the other hand, devices running Windows 10 Update Assistant on Windows 10 version 1903 are also vulnerable to attacks if the update tool was manually installed.
Microsoft has already released a new version of the Update Assistant to resolve the vulnerability, and users are recommended to install it as soon as possible. The only way to patch the flaw is to manually install this new version, at least until this is included in a new update shipped automatically to devices via Windows Update. Removing Windows 10 Update Assistant completely obviously blocks an attack too.
Microsoft says the flaw was privately disclosed and exploitation is less likely, with no reports of the bug currently being exploited out in the wild.