The second Tuesday of September has once again proven to be a significant date for cybersecurity with Microsoft’s latest Patch Tuesday update. This month’s release is dominated by a daunting array of vulnerabilities, including four zero-day flaws.
The September 2024 Patch Tuesday is particularly noteworthy as it addresses a total of 79 vulnerabilities, among which four are zero-day threats—two of which are actively exploited and one publicly disclosed.
This month, Microsoft addressed two zero-day vulnerabilities that bypass security features in Microsoft Office and Windows Mark of the Web. Both were exploited in the wild, highlighting the urgent need for remediation due to their widespread impact.
Microsoft September 2024 Patch Tuesday: Critical Vulnerabilities and Zero-Day Exploits
Among the list of vulnerabilities, CVE-2024-43491, a Windows Servicing Stack Remote Code Execution (RCE) vulnerability, is a significant concern due to its high CVSSv3.1 base score of 9.8. This severe risk impacts Windows 10, version 1507, specifically Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB.
The flaw is a pre-authentication RCE vulnerability caused by a regression in the Windows Servicing Stack, which inadvertently rolled back fixes for multiple previous vulnerabilities. Despite its severity, Microsoft has not observed exploitation of this flaw in the wild. The issue was discovered internally by Microsoft, and patches for both the Servicing Stack and the Windows OS itself must be applied in the specified order.
“CVE-2024-38226 is a flaw in Microsoft Publisher, a standalone application that is also included in some versions of Microsoft Office,” Narang added. “CVE-2024-38217 is a vulnerability in Mark of the Web, an important security feature in Microsoft Windows that flags or blocks content from files downloaded from the internet. Exploitation of both CVE-2024-38226 and CVE-2024-38217 can lead to the bypass of important security features that block Microsoft Office macros from running.”
CVE-2024-38217, known as “LNK stomping,” involves a security feature bypass in the Mark-of-the-Web (MotW) system. This vulnerability allows an attacker to overwrite an existing LNK file through explorer.exe, potentially bypassing security checks like SmartScreen and the Windows Attachment Services prompt. This issue has been publicly disclosed and linked to exploit code on GitHub, illustrating its long history of exploitation dating back to 2018.
With a CVSSv3.1 score of 7.8, CVE-2024-38014 is classified as an Important vulnerability that allows elevation of privilege via Windows Installer. This flaw could enable code execution with SYSTEM privileges, which is highly attractive to malware authors due to its low attack complexity and privilege requirements. The flaw affects all current versions of Windows and even Server 2008, despite its end of official support.
“CVE-2024-38014 is part of post-compromise activity, whereby an attacker has obtained access to a target system and will exploit these types of vulnerabilities in order to elevate privileges,” noted Narang. “Flaws like CVE-2024-38014 are highly valuable to attackers as they enable further compromise, so it is crucial for organizations to patch these flaws to cut off attack paths and prevent future compromise.”
The local security feature bypass affecting Microsoft Publisher involves a flaw in Office macro policies. Exploitation requires the attacker to convince the user to open a malicious file, but they must also be authenticated on the target system. The specifics of this attack vector are not fully detailed, but it highlights the need for vigilance in managing document security settings.
Critical RCE Vulnerabilities and Other Updates
In addition to the zero-day fixes, September 2024 Patch Tuesday addresses six critical vulnerabilities, particularly those allowing remote code execution (RCE). These include:
- CVE-2024-38018: Microsoft SharePoint Server RCE
- CVE-2024-43464: SharePoint Server RCE
- CVE-2024-38119: Windows NAT RCE
CVE-2024-38018 and CVE-2024-43464 are SharePoint Server vulnerabilities. CVE-2024-38018 requires Site Member permissions, while CVE-2024-43464 involves deserialization of untrusted data leading to RCE after uploading a malicious file. Both are deemed Critical due to their potential impact and exploitation likelihood.
CVE-2024-38119, a critical RCE vulnerability in Windows network Address Translation (NAT), has a high attack complexity due to the need for network adjacency. Notably, Server 2012/2012 R2 does not receive a patch for this vulnerability, a peculiar decision given its severity.
For Windows clients, the September 2024 Patch Tuesday updates include:
- KB5043076: Windows 11 versions 23H2/22H2
- KB5043067: Windows 11 version 21H2
- KB5043064: Windows 10 versions 22H2/21H2
- KB5043050: Windows 10 version 1809
These updates primarily consist of minor patches and security fixes, rather than new features.
Why Microsoft Patch Tuesday is Important
Patch Tuesday refers to Microsoft’s regular schedule for releasing software updates on the second Tuesday of each month. These updates are crucial for addressing security vulnerabilities and ensuring system stability. By adhering to this schedule, IT administrators can plan updates efficiently, minimizing downtime and maintaining system security.
Patches released on Patch Tuesday help protect against potential cyber threats by fixing known vulnerabilities. Regular application of these updates is essential for safeguarding systems, maintaining compliance with security standards, and ensuring optimal performance.
Likewise, with this Patch Tuesday, “Microsoft also fixed CVE-2024-43491, a vulnerability in its Servicing Stack that led to the rollback of fixes for specific versions of Windows 10 affecting some Optional Components,” Narang pointed out. “Exploitation of this flaw appears to be tied to previously known vulnerabilities that were reintroduced due to the rollback. Users need to apply both the September 2024 Servicing Stack Update and the September 2024 Windows Security Updates to correct this issue.”
The September 2024 Patch Tuesday update highlights the ongoing efforts by Microsoft to address critical security issues and protect users from emerging threats. With four zero-day vulnerabilities and six critical issues patched, organizations and individuals must apply these updates promptly to secure their systems against potential exploits.