Microsoft fixes elevation of privileges security vulnerability in Windows Setup
Unbeknownst to Windows 10 users until now, a security vulnerability existed in Windows Setup, the process with runs when installing Feature Updates for the operating system.
The vulnerability (CVE-2020-16908) made it possible for a locally authenticated attacker to run arbitrary code with elevated system privileges. This flaw could be exploited to install software, create new user accounts, or interfere with data.
The vulnerability was found in the way Windows Setup handles directories, and Microsoft says that it affects version 1803, 1809, 1903, 1909 and 2004 of Windows 10. The company assures users that systems are only vulnerable to attack during the process of upgrading to a new Feature Update, and at no other time. Now that Feature Update bundles have been refreshed with the patched Setup binaries, however, the vulnerability "no longer exists".