Windows 10 users have yet another update issue to deal with
Hot on the heels of Microsoft advising 800 million Windows 10 users to install a critical update before any other, many of those same users might need to manually tackle a problem with the Windows Update Assistant. The Microsoft Windows 10 Update Assistant (WUA) helps with the downloading and installation of feature updates to your Windows 10 device, including those prompts to update to the latest version of Windows 10. It’s also broken and not how you might think. I’m not talking about it breaking other things but instead it being broken itself, in the security sense.
What’s the security problem with the Windows Update Assistant?
While other Windows updates have broken Windows Defender, the Windows Update Assistant itself has been found to be vulnerable to a local privilege escalation attack that could, under certain circumstances, enable an attacker to run programs with system privileges. The always reliable BleepingComputer reported that the vulnerability was mentioned in a security bulletin as part of the October 2019 Patch Tuesday fixes. The following day, October 9, an updated version of the Windows Update Assistant was released to fix things.
Security researcher Jimmy Bayne told BleepingComputer that the vulnerability was not a very practical one from the exploitation perspective. “It is a very opportunistic situation that has to occur during the update process,” Bayne said, “the most realistic use case presented is an APT type of actor that has a long dwell time in a network…” Even then, those Advanced Persistent Threat (APT) actors could, if they were already in the network, probably find much easier ways to execute their privilege escalation objectives. Symantec, meanwhile, assigns the Microsoft Windows Update Assistant CVE-2019-1378 Local Privilege Escalation Vulnerability a medium rating.
Fixing the Windows Update Assistant
Fixing the issue isn’t as simple as it should be. This isn’t to say that it’s a highly complex process, but instead that it’s going to be too much bother for the average Windows 10 user and so likely to be ignored. Why so? There are two ways to “fix” the issue: uninstall the Windows Update Assistant and wait to be prompted to reinstall it when the next Windows 10 update arrives, or manually download and install the latest version. The most straightforward fix might be to uninstall the Windows Update Assistant. This will remove the vulnerability, and the program will be replaced by the fixed one during the next feature update. Assuming, that is, it was installed in the first place. It comes as part of the KB4023814 update. If so, then you might find it listed in the “Apps & Features” control panel from where it can be uninstalled directly.
Microsoft also suggests some alternative ways of uninstalling the Windows Update Assistant.
You can open a command prompt by typing “cmd” (without the quotes) into Windows search and then run the following command:
Microsoft also said that you could manually delete the following folders, although you might need to kill the UpdateAssistant.exe and Windows10UpgraderApp.exe processes from Task Manager first:
If you want to manually download and install the Windows Update Assistant, then you need to head to this support page. From here, you can go to the May 10, 2019 Windows “1903” Update download which will contain the fixed version.
What do the security experts say?
“Updates, without question, need to be easy,” Jake Moore, cybersecurity specialist at ESET, says, “many people even find a restart too difficult, so manual updates come with a heavy sigh for most.” The command-line option to uninstall is even more unlikely to be taken by the average user. “Procrastination is easily achieved when updates require following an unknown procedure,” Moore says, “especially for those who may find such commands difficult.” Updates need to be simple, fast and effective. “Without one button patches, they will simply have the risk of being forgotten about,” Moore concludes. Ethical Hacker, John Opdenakker, is usually a proponent of patching as soon as possible. However, given that this vulnerability in the Windows 10 Update Assistant is “allegedly hard to exploit,” Opdenakker says, “I think people will be fine by just installing the next round of updates.”