Microsoft has issued four remote code vulnerabilities fixes in the September 2024 Patch Tuesday update, which it has marked as critical, meaning exploits are in the wild.
It has also issued three critical patches for elevation of privileges security vulnerabilities.
Along with all current operating system releases, Microsoft has said it has needed to provide patches for Windows 11 version 24H2, due to be ready later this year. It said that people buying new CoPilot+ PCs will need to apply the Patch Tuesday fixes to ensure their device remains fully protected.
Among the elevated privileges bugs is CVE-2024-38014, which affects Windows Installer, a component of the Windows operating system that allows users to install and uninstall software. The flaw means an attacker could gain system privileges on successful exploitation of the vulnerability and effectively take control of the machine.
Another critical Windows flaw, CVE-2024-43491, affects Windows Update functionality. According to security firm Qualys, this stack vulnerability allows an attacker to perform remote code execution.
Although this is a known vulnerability, Microsoft said it has previously rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015).
Qualys said this means an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on 12 March or other updates released until August. The vulnerability does not impact later versions of Windows 10.
Another critical patch (CVE-2024-38018) for a remote code vulnerability affects Microsoft Sharepoint server. Microsoft has said SharePoint admins may experience certain issues that will require extra workarounds after the patch is applied.
On SharePoint Enterprise Server 2016, Microsoft said it has included OneDrive for Business modern user experience, but this functionality is only available to its Software Assurance customers. This means those without Software Assurance will need to turn off the new OneDrive for Business functionality to comply with Microsoft’s licensing.
The Windows Network Address Translation (NAT) system (CVE-2024-38119) also has a remote code vulnerability. According to Qualys, an attacker needs access to the network to launch a successful exploit.
Among the critical privilege elevation flaws is two that impact Azure Stack Hub (CVE-2024-38216 and CVE-2024-38220), a part of the Azure Stack portfolio that enables users to run apps in an on-premise environment and deliver Azure services in their own datacentres. Successful exploitation of this security hole could enable an attacker to gain unauthorised access to system resources. The vulnerability may also allow an attacker to perform actions with the same privileges as the compromised process, Qualys said.
Another Azure bug affects Azure Web Apps, which enables users to host web applications in various programming languages such as .NET, Java, Node.js, Python and PHP. Qualys said an authenticated attacker may exploit an improper authorisation vulnerability in Azure Web Apps to elevate privileges over a network.
The US Cyber Security and Infrastructure Security Agency has requested that users patch all Windows vulnerabilities in the update categories as “critical” before 1 October 2024.