Windows 10 News and info | Forum
October 16, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
 
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
  Print  
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Windows 10 Update Assistant Vulnerability Needs Manual Fix, Here's How  (Read 6 times)
javajolt
Administrator
Hero Member
*****
Offline Offline

Gender: Male
United States United States

Posts: 30589


I Do Windows


WWW Email
« on: October 11, 2019, 09:00:58 PM »
ReplyReply

Microsoft has released a new version of the Windows 10 Update Assistant in order to fix a local privilege escalation vulnerability. While there is no imminent threat, the only way to fix this vulnerability is to uninstall the program or download the latest version.

The Windows 10 Update Assistant is a Microsoft program that helps you download and upgrade to the latest version of Windows 10.  On older versions of Windows, it may also intermittently show you small alerts that prompt you to install the latest Windows 10 feature update.


Windows 10 Update Assistant
In previous versions of the Windows 10 Update Assistant for version 1903, a vulnerability existed that could allow attackers to elevate their permissions and execute commands they should not normally be able to.

The Windows 10 Update Assistant vulnerability

With the October 2019 Patch Tuesday security fixes, Microsoft released a security bulletin for a local privilege escalation vulnerability (CVE-2019-1378) in Windows 10 Update Assistant that was discovered by security researcher Jimmy Bayne.

This vulnerability could allow an attacker to elevate their permissions in order to run a program with SYSTEM privileges, which essentially lets them perform any action they want in Windows.

A day later, on October 9th, Microsoft released an updated Windows 10 Update Assistant that fixes the vulnerability.

In a conversation with BleepingComputer, Bayne felt that this vulnerability is not a major concern and can only be used under specific conditions.

Quote
"The WUA finding is not what I would consider a very practical LPE.  Elevation can be achieved by hijacking a component of the update process, which allows an attacker to execute a payload as SYSTEM.  It is a very opportunistic situation that has to occur during the update process.  So the previous release of WUA for Win 10 1903 is vulnerable, but it does not mean that Windows machines updated with the previous version of WUA have a persistent vulnerability."

When discussing how it could be used, Bayne told us that the most realistic use case would be for an APT actor who has persistent and long term access to a machine.

Quote
"The most realistic use case presented is an APT type of actor that has a long dwell time in a network could potentially take advantage of this if other avenues are exhausted."

With that said, Bayne does feel that users should always be running the latest version of the software, especially if older versions have a known vulnerability. Therefore, it is suggested that users uninstall the current Windows 10 Update Assistant and download and install the latest version if necessary.

What you should do to fix the vulnerability

What many users do not know is that the Windows 10 Update Assistant (WUA) is not a standalone program and will actually install itself into Windows in the C:\Windows10Upgrade folder.

WUA is either installed on a computer manually by downloading the program from Microsoft or it is installed as part of the KB4023814 update.

To check if it is installed, you can either check if the KB4023814 update is installed or see if there is an uninstall entry for WUA in the Apps & features control panel as shown below.


Windows 10 Update Assistant Uninstall Entry
In order to fix this vulnerability, users need to either remove the Windows 10 Update Assistant or download the latest version from Microsoft, which now contains an updated and fixed version, and install it.

For most people, it is easier to just remove the program and install the latest version when you are attempting to upgrade to a new version of Windows 10 and are having problems.

If the Windows 10 Update Assistant entry is listed in the Uninstall Programs, you can uninstall it from there.

Regardless of how it was installed, you can always remove the Windows 10 Update Assistant by opening a command prompt and then typing the following command and pressing Enter on your keyboard.

Quote
C:\Windows10Upgrade\Windows10UpgraderApp.exe /ForceUninstall


Uninstalling the Windows 10 Update Assistant
After pressing enter, you will be shown a UAC prompt asking if you want to allow this app to make changes. You should click on the Yes button at this prompt.


UAC Prompt
When running the command, it will not display any output, and just bring you back to another prompt. You can now close the command prompt windows.

To confirm that the Windows 10 Update Assistant has been removed, you can check if the C:\Windows10upgrade or C:\Windows\Updateassistant folders exist. If they do not, then it has been completely removed.

If either of those two folders still exists, you can now delete them.

If you cannot remove those folders for some reason, you can launch Task Manager and end the UpdateAssistant.exe and the Windows10UpgraderApp.exe processes if they are running. Once terminated, you can now try to delete the folders again.

Now that the Windows 10 Update Assistant has been removed, Windows will no longer be affected by the vulnerability.

source
Logged


Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page October 11, 2019, 09:09:28 PM