Table of Contents
Is Your Windows PC at Risk from the KB4023057 Update Glitch?
A critical vulnerability recently surfaced in Microsoft’s Update Health Tools, distributed as update KB4023057. This component, designed to ensure Windows updates run smoothly, contained a flaw in Version 1.0 that permitted Remote Code Execution (RCE). Security researchers at Eye Security identified that the tool retrieved configurations from unsecured cloud storage locations. Microsoft has since released Version 1.1 to rectify this issue. Administrators and users must verify their systems are running the latest version to mitigate potential risks.
Function of Microsoft Update Health Tools
Microsoft distributes these tools to consumer and commercial systems to repair Windows Update components. For enterprise environments using Microsoft Intune or Windows Update for Business (WUfB), this service is vital. It accelerates the delivery of security patches and manages feature updates. The software typically installs automatically when a device connects to Windows Update services. If the tools are missing, users can manually download them from the Microsoft Download Center.
The Vulnerability Mechanics
The security flaw originated from how Version 1.0 handled external connections. The service, specifically uhssvc.exe, attempted to download configuration files from Azure Blob storage accounts using a predictable naming pattern (payloadprod0 through payloadprod15).
The oversight was procedural: Microsoft failed to register ten of these fifteen storage accounts.
Because these accounts were “orphaned,” any third party could register them. Researchers demonstrated that an attacker could claim these storage names and upload malicious JSON payloads. When the Update Health Tools on a victim’s machine queried these now-compromised accounts, the software would download and process the attacker’s instructions.
Potential Impact and Exploitation
This vulnerability posed a significant threat to enterprise security. The uhssvc.exe process runs with high privileges. By controlling the configuration file, an attacker could force the service to execute arbitrary commands.
- The Attack Vector: Attackers could reference legitimate, signed Windows executables (such as explorer.exe) within the malicious JSON.
- The Reach: During a seven-day observation period, researchers logged over 544,000 HTTP requests from nearly 10,000 distinct Azure tenants worldwide. This indicates that a vast number of devices were actively querying these insecure endpoints.
Remediation and Current Status
Microsoft responded to the disclosure by releasing Version 1.1 of the Update Health Tools. This update fundamentally changes how the software retrieves instructions. Instead of polling predictable Azure Blob accounts, Version 1.1 connects to a dedicated web service hosted at devicelistenerprod.microsoft.com.
Timeline of Events:
- July 7, 2025: Eye Security reported the vulnerability to Microsoft.
- July 17, 2025: Microsoft confirmed the issue.
- November 20, 2025: Full details were published regarding the attack vector.
Action Required
System administrators should audit their environments immediately. Ensure that the Microsoft Update Health Tools installation is updated to Version 1.1 or later. While the new version fixes the primary flaw, legacy configurations or backward compatibility settings should be reviewed to prevent any residual exposure.