Some "fully patched" Windows 10 PCs left exposed for months after Microsoft rolled-back security fixes

Every month, regular as clockwork on the second Tuesday of the month, Microsoft releases fixes for security vulnerabilities in its products.

It's important that these security holes are patched quickly and safely, before they are exploited by cybercriminals.  Some are obviously more important to fix than others as hackers may already be actively exploiting the vulnerabilities in the wild.

That's the case this month - Microsoft has fixed at least 79 security vulnerabilities in its latest bundle of patches, some of which were already being used in attacks.

However, this month has also seen Microsoft fix a critical defect in its code that had effectively "rolled back" earlier fixes for vulnerabilities affecting Optional Components – including, for instance, Internet Explorer 11, Windows Media Player, MSMQ server core – on Windows 10, version 1507 (initially released in July 2015).

The vulnerability in the Windows 10 update system had meant that security patches were "undone", leaving some computers vulnerable to attacks since March 2024 until this week.

Users, however, would have been unaware of the risk as Windows would have told them (incorrectly) that it had successfully updated itself and was fully patched.

Thankfully, not all versions of Windows 10 were impacted by the flaw.  But that won't be much of a relief for those users whose systems were unknowingly left at risk for multiple months by Microsoft's bug.

Microsoft has published more details of the critical vulnerability (named CVE-2024-43491) alongside a list of specific versions of Windows 10 and components that are vulnerable, and an FAQ on what affected users can do to restore the fixes that the vulnerability rolled back.

Although some of the vulnerabilities "unpatched" by Microsoft's accidental rollback were known to have been exploited in the wild, Microsoft says that it discovered the issue with its updates itself and that it has not seen any evidence that the CVE-2024-43491 flaw was publicly known.

Although it's clearly far from a good thing for an update to actually rollback the security of a computer system without its owners' knowledge or consent, it's important to recognise that incidents like this are newsworthy because they are relatively rare. It continues to be the case that generally a very good idea to keep IT systems updated with the latest security patches as soon as possible.