Vulnerability in Windows 10 Update Assistant

[German]Microsoft has acknowledged a vulnerability in the Windows 10 Update Assistant that can be exploited to extend privileges. Uninstalling or updating the wizard is recommended. Here is some information about what you should know.


Advertising

What is the Windows 10 Update Assistant?

First of all, I would like to point out that this will not affect normal Windows 10 users who never used the Windows 10 Update Assistant. The program must have been explicitly downloaded by someone and installed with administrative privileges under Windows 10. The Windows 10 Update Assistant can be downloaded in Windows 10 from this Microsoft site. The wizard was also offered on the Windows 10 upgrade page (see screenshot).

Windows 10 aktualisieren

The Windows 10 Update Assistant downloads and installs feature updates on a running Windows 10 system. This is helpful if such a feature update usually fails due to compatibility issues. The Assistant checks for compatibility and provides instructions on what to do to prevent upgrading to a new version of Windows 10.

The vulnerability CVE-2019-1378

On October 8, 2019, Microsoft released the Security Advisory CVE-2019-1378 warning about an Elevation of Privilege vulnerability in the Windows 10 Update Assistant. In the Windows 10 Update Assistant, there is a privilege management issue that allows a program to extended privileges.

A locally authenticated attacker could execute arbitrary code with elevated system privileges. After successfully exploiting the vulnerability, an attacker could then install programs, view, modify, or delete data, or create new accounts with full user privileges.


Advertising

Microsoft states that the vulnerability is not being exploited and considers the exploitability to be low because the attacker must already be on the system. However, the vulnerability is classified as Important.

What can you do?

On its Security Advisory for CVE-2019-1378, Microsoft gives concrete advice on what you can check and do.

  • Only people who have visited the Microsoft ‘Download Windows 10’ page in the past are affected.
  • They had to click Update Now and then save the executable WindowsUpdate9252.exe installation file on your computer.

If both conditions are true, the vulnerable version WindowsUpdate9252.exe of the Windows 10 Update Assistant is present on a system. Microsoft recommends that you delete the download and, if installed, uninstall the program. To do this, check the following (according to support article 4023814): 

  • If the 4023814 update appears in the list of installed updates or in programs and functions, the wizard is present on the system.
  • The program is also listed in the Apps category on the Settings page during installation.

If the update 4023814 is listed or a standalone version of the Windows 10 Update Assistant has been installed, it should be uninstalled. The uninstallation can be done in an administrative prompt with the instruction:

C:\Windows10Upgrade\Windows10UpgraderApp.exe /ForceUninstall

You can then check the following folders to see if the Windows 10 Update Wizard has been removed from your computer.

  • C:\Windows\Updateassistant
  • C:\Windows10upgrade

If you cannot remove these folders, start the Task Manager (taskmgr.exe) and exit the UpdateAssistant.exe process and the Windows10UpgraderApp.exe process. Then try to delete the folders again. 

Microsoft provides an updates version of the Windows 10 Update Assistant that isn’t vulnerable. But I recommend, not to use this tool, it not necessary.


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *