Microsoft is urging users of Windows 10 version 1903 to install this month's SSU or 'servicing stack update' to address a bug in a Secure Boot feature that could force the Windows BitLocker encryption system into recovery mode.
Microsoft regularly provides SSUs to improve the Windows servicing stack, the component that installs Windows updates each month. Microsoft generally recommends installing SSUs ahead of the monthly cumulative updates.
However, this month's SSU also contains a security fix rated as 'critical' by Microsoft's security response center.
SEE: 10 tips for new cybersecurity pros (free PDF)
The update "addresses an issue with a Secure Boot feature update that may cause BitLocker to go into recovery mode because of a race condition", the company notes in a new KB article. The same issue is addressed in SSUs for older versions of Windows, too.
The updates are available from the Microsoft Update Catalog or through Windows Server Update Services (WSUS).
Microsoft said it "strongly recommends" that users and admins install this latest SSU before installing the latest cumulative update, which was released along with this month's Patch Tuesday updates.
The researcher at ESET, Anton Cherepanov, who found the exploit for the flaw, has now provided a detailed write-up about the local privilege-escalation issue.
The exploit doesn't affect Windows 10 or Windows 8 but it does impact older versions including Windows 7 SP1, Windows Server 2008 SP2, and Windows Server R2 SP1.
Cherepanov notes that the technique used in the current exploit is "very similar" to one used before 2017 by the advanced hacking group called Sednit, aka Fancy Bear, APT28, STRONTIUM, and Sofacy.
According to Cherepanov, Windows 8 and later block a key component of the exploit chain, which is why the flaw only affects earlier versions of supported Windows versions. He notes that Microsoft back-ported the Windows 8 mitigation to Windows 7 for x64-based systems.
While Microsoft's push to get Windows 7 users to upgrade to a new version is often seen as nagging, Cherepanov contends that bugs like this are one reason Windows 7 users should follow Microsoft's advice.
"People who still use Windows 7 for 32-bit systems Service Pack 1 should consider updating to newer operating systems, since extended support of Windows 7 Service Pack 1 ends on January 14, 2020. Which means that Windows 7 users won't receive critical security updates. Thus, vulnerabilities like this one will stay unpatched forever."
More on Microsoft and Windows security
- Windows 10 security: Bad bug in our CPU diagnostics app, so patch now, says Intel
- Microsoft July 2019 Patch Tuesday fixes zero-day exploited by Russian Hackers
- Microsoft: We're fighting Windows malware spread via Excel in email
- Homeland Security: We've tested Windows BlueKeep attack and it works so patch now
- Microsoft warns about email spam campaign abusing Office vulnerability
- Dell warning: Patch our Windows 10 PCs now to stop attackers taking control
- How WannaCry is still launching 3,500 successful attacks per hour TechRepublic