Microsoft Removes Standalone Security Update Causing Issues on Some PCs
A standalone security update (KB4524244) that Microsoft issued recently for Windows 10 as part of Patch Tuesday has been removed from Windows Update after some users experienced problems. The update was for Windows 10 versions 1607 through 1909, and Windows Server 2016 and Windows Server 2019.
KB4524244 was designed to address an issue where third-party Unified Extensible Firmware Interface (UEFI) boot managers could expose UEFI-enabled PCs to a security vulnerability.
Microsoft hasn’t detailed the exact nature of the vulnerability but says the update will block a ‘vulnerable boot manager’. A similar patch for Windows 8.x and Windows 10 version 1507 (KB4502496) has also been pulled.
Kaspersky Rescue Disk vulnerability
According to an article published by antivirus vendor Kaspersky, the third-party boot manager in question was part of their product Rescue Disk. The vulnerability in Rescue Disk was publicly disclosed in April 2019 and fixed in August 2019. Kaspersky says:
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
It was possible to run an untrusted UEFI image (e.g. custom operating system) on a computer protected by Secure Boot technology. This could be done by exploiting a custom UEFI loader used by Kaspersky Rescue Disk. Practical attack scenario required physical access to a computer.
The Microsoft patch updates the UEFI Revocation List File, which is a database of revoked UEFI signatures. The change to the file was made to prevent attacks that use vulnerable versions of Kaspersky Rescue Disk. Successful attacks might be able to circumvent Secure Boot to install malicious code.
Mitigate issues caused by KB4524244
Microsoft says that users who installed the update could experience a couple of issues:
- “Reset this PC” feature might fail. The “Reset this PC” feature is also called “Push Button Reset” or PBR.
- You might encounter issues trying to install or after installing KB4524244.
For organizations or users experiencing these issues, Microsoft recommends uninstalling the update. Users can do this by clicking View update history under Windows Update in the Windows 10 Settings app. Then click Uninstall updates at the top of the Settings app. Organizations can remove the update with the help of Microsoft Intune or Microsoft Endpoint Manager.
Microsoft has pulled the update from Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog. KB4524244 is a standalone update so it doesn’t affect the cumulative update for Windows 10 that was rolled out via Windows Update in the first half of February.
While KB4524244 will not be reoffered, Microsoft says that it is working on an improved version of the patch for future release. If KB4524244 was installed on a device and isn’t causing any issues, then it doesn’t need to be removed.
Secure physical access to devices
If the update wasn’t installed on your device or has been removed, then you’ll have to wait until Microsoft provides an improved version of the fix. Exploiting the vulnerability requires physical access to the disk. You can protect yourself by locking down the device with a BIOS password and making sure that the device is physically secure.