Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET

Microsoft Removes Standalone Security Update Causing Issues on Some PCs

A standalone security update (KB4524244) that Microsoft issued recently for Windows 10 as part of Patch Tuesday has been removed from Windows Update after some users experienced problems. The update was for Windows 10 versions 1607 through 1909, and Windows Server 2016 and Windows Server 2019.

KB4524244 was designed to address an issue where third-party Unified Extensible Firmware Interface (UEFI) boot managers could expose UEFI-enabled PCs to a security vulnerability.

Microsoft hasn’t detailed the exact nature of the vulnerability but says the update will block a ‘vulnerable boot manager’. A similar patch for Windows 8.x and Windows 10 version 1507 (KB4502496) has also been pulled.

Kaspersky Rescue Disk vulnerability

According to an article published by antivirus vendor Kaspersky, the third-party boot manager in question was part of their product Rescue Disk. The vulnerability in Rescue Disk was publicly disclosed in April 2019 and fixed in August 2019. Kaspersky says:

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

It was possible to run an untrusted UEFI image (e.g. custom operating system) on a computer protected by Secure Boot technology. This could be done by exploiting a custom UEFI loader used by Kaspersky Rescue Disk. Practical attack scenario required physical access to a computer.

The Microsoft patch updates the UEFI Revocation List File, which is a database of revoked UEFI signatures. The change to the file was made to prevent attacks that use vulnerable versions of Kaspersky Rescue Disk. Successful attacks might be able to circumvent Secure Boot to install malicious code.

Mitigate issues caused by KB4524244

Microsoft says that users who installed the update could experience a couple of issues:

  • “Reset this PC” feature might fail. The “Reset this PC” feature is also called “Push Button Reset” or PBR.
  • You might encounter issues trying to install or after installing KB4524244.

For organizations or users experiencing these issues, Microsoft recommends uninstalling the update. Users can do this by clicking View update history under Windows Update in the Windows 10 Settings app. Then click Uninstall updates at the top of the Settings app. Organizations can remove the update with the help of Microsoft Intune or Microsoft Endpoint Manager.

Microsoft has pulled the update from Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog. KB4524244 is a standalone update so it doesn’t affect the cumulative update for Windows 10 that was rolled out via Windows Update in the first half of February.

While KB4524244 will not be reoffered, Microsoft says that it is working on an improved version of the patch for future release. If KB4524244 was installed on a device and isn’t causing any issues, then it doesn’t need to be removed.

Secure physical access to devices

If the update wasn’t installed on your device or has been removed, then you’ll have to wait until Microsoft provides an improved version of the fix. Exploiting the vulnerability requires physical access to the disk. You can protect yourself by locking down the device with a BIOS password and making sure that the device is physically secure.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: