Описание
Windows Setup Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists in Windows Setup in the way it handles permissions.
A locally authenticated attacker could run arbitrary code with elevated system privileges. After successfully exploiting the vulnerability, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
The security update addresses the vulnerability by ensuring Windows Setup properly handles permissions.
FAQ
There are no security updates listed for the affected versions of Windows. Where does this vulnerability exist?
This vulnerability only exists in the Windows 10 Setup, which runs temporarily any time a customer upgrades from a previous version of Windows 10 to a newer version (for example, from Windows 10 Version 1909 to Windows 10 Version 2004). A device is vulnerable only while upgrading to a newer version of Windows. At any other time, the device is not vulnerable.
How do I know if I'm protected from this vulnerability?
As of this date, all in-support Feature Update bundles have been refreshed with the patched Setup binaries, so this vulnerability no longer exists.
If you are using WSUS or MEM ConfigMgr or another third-party management tool, please sync the latest feature update bundles and approve those for deployment. If you are using Windows media, as applicable to your system, please download the latest refreshed media from VLSC or Visual Studio Subscriptions (formerly MSDN), or download the latest applicable Setup Dynamic Update (DU) package and patch your existing media.
Following is a list of the latest Setup DU packages:
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
Older Software Release
DOS
EPSS
7.8 High
CVSS3
Связанные уязвимости
An elevation of privilege vulnerability exists in Windows Setup in the way it handles permissions. A locally authenticated attacker could run arbitrary code with elevated system privileges. After successfully exploiting the vulnerability, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by ensuring Windows Setup properly handles permissions.
An elevation of privilege vulnerability exists in Windows Setup in the way it handles permissions.A locally authenticated attacker could run arbitrary code with elevated system privileges, aka 'Windows Setup Elevation of Privilege Vulnerability'.
Уязвимость службы установки приложений Windows Setup операционной системы Windows, позволяющая нарушителю повысить свои привилегии
EPSS
7.8 High
CVSS3