September 2024 Patch Tuesday is here and Microsoft has delivered 79 fixes, including those for a handful of zero-days (CVE-2024-38217, CVE-2024-38226, CVE-2024-38014, CVE-2024-43461) exploited by attackers in the wild, and a Windows 10 code defect (CVE-2024-43491) that rolled back earlier CVE fixes.
The actively exploited flaws
Let’s start with the only one that was previously publicly known: CVE-2024-38217, a vulnerability that allows attackers to bypass Mark of the Web (MotW).
Elastic Security researcher Joe Desimone reported the vulnerability being exploited by attackers for years by crafting Windows shortcut files (.LNK) with non-standard target paths or internal structures.
Such a file would force Windows to “rewrite” it and remove the MotW metadata, resulting in – according to Microsoft – a limited loss of integrity and availability of security features such as SmartScreen Application Reputation security check and/or the legacy Windows Attachment Services security prompt.”
Next we have CVE-2024-38226, another vulnerability that allows attackers to bypass a security feature. This vulnerability affects Microsoft Publisher, a standalone application that’s also included in some versions of Microsoft Office.
“The attack itself is carried out locally by a user with authentication to the targeted system. An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer,” Microsoft explained in the associated advisory.
Obviously, someone managed to do it, and thus bypass Office macro policies to execute malicious code on the targeted machine(s). Unfortunately, Microsoft did not share who reported the flaw, so we can’t even speculate about the nature of the attack this vulnerability has been used in.
Another exploited zero-day Microsoft fixed this time around is CVE-2024-38014, a vulnerability in Windows Installer that may allow authenticated attackers to elevate their privileges to SYSTEM.
“Interestingly, Microsoft states that no user interaction is required for this bug, so the actual mechanics of the exploit may be odd. Still, privilege escalations like this are typically paired with a code execution bug to take over a system. Test and deploy this fix quickly,” advises Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative.
Satnam Narang, senior staff research engineer at Tenable, pointed out that because elevation of privilege vulnerabilities are related to post-compromise activity, they may not receive as much attention as remote code execution bugs.
“But, they are highly valuable to attackers as they are able to inflict more damage or compromise more data, and it is important for organizations to ensure they patch these flaws to cut off attack paths and prevent future compromise,” he added.
CVE-2024-43461, a Windows MSHTML Platform spoofing vulnerability, is not currently described as being exploited in the wild, though Childs says it should.
“This bug is similar to the vulnerability we reported and was patched back in July. The ZDI Threat Hunting team discovered this exploit in the wild and reported it to Microsoft back in June. It appears threat actors quickly bypassed the previous patch,” he noted.
“When we told Microsoft about the bug, we indicated it was being actively used. We’re not sure why they don’t list it as being under active attack, but you should treat it as though it were, especially since it affects all supported versions of Windows.”
Other vulnerabilities of note
CVE-2024-43491 is an interesting vulnerability that has effectively rolled back the fixes for some vulnerabilities affecting Optional Components – e.g., Internet Explorer 11, Windows Media Player, MSMQ server core, etc. – on Windows 10, version 1507.
“This specific vulnerability impacted the Windows update system in a way that security patches for some components were rolled back to a vulnerable state and will have remained in a vulnerable state since March 2024,” Kevin Breen, Senior Director Threat Research at Immersive Labs, told Help Net Security.
“Some of these components were known to be exploited in the wild in the past, meaning attackers could still exploit them despite Windows update saying it is fully patched.”
But, according to Microsoft, no exploitation of CVE-2024-43491 itself has been detected. “In addition, the Windows product team at Microsoft discovered this issue, and we have seen no evidence that it is publicly known.”
The other good news is that only a small share of Windows 10 systems is affected. Users / admins should check the advisory to see whether their machine(s) are affected and install “the September 2024 Servicing stack update (SSU KB5043936) AND the September 2024 Windows security update (KB5043083), in that order.”
Among the patched vulnerabilities Microsoft deems more likely to be exploited are four vulnerabilities in Microsoft Sharepoint (CVE-2024-38018, CVE-2024-38227, CVE-2024-38228, CVE-2024-43464) that could be exploited to achieve remote code execution on the SharePoint Server. All four require the attacker to be authenticated to begin exploitation, but SharePoint admins would do well to implement fixes for those.