In September 2024 [1] [3] [4] [6], Microsoft released a Patch Tuesday update with 79 fixes to address zero-day vulnerabilities actively exploited by attackers.

Description

Among these vulnerabilities [2] [5] [8] [10], CVE-2024-43491 targeted a 10-year-old version of Windows [11], allowing for remote code execution with a CVSS score of 9.8. CVE-2024-38014 was an elevation-of-privilege vulnerability in Windows Installer with a CVSS score of 7.8 [8], granting attackers system access [11]. CVE-2024-38217 was a feature bypass vulnerability in Windows Mark of the Web (MotW) with a CVSS score of 5.4, tricking users into downloading malicious server files [11]. CVE-2024-38226 was a feature bypass vulnerability in Microsoft Publisher with a CVSS score of 7.3, overriding macro settings [11]. Exploitation of CVE-2024-38226 and CVE-2024-38217 can bypass security features blocking Microsoft Office macros [6] [7]. Microsoft rolled back fixes for vulnerabilities affecting Optional Components on Windows 10 [7], version 1507 [4] [6] [7], allowing for exploitation of previously mitigated vulnerabilities [7]. These vulnerabilities were addressed in the September 2024 Servicing stack update and the September 2024 Windows security update [4], requiring immediate patching to prevent potential attacks. No exploitation of CVE-2024-43491 has been detected [7], and Microsoft has not seen evidence that it is publicly known [7]. CVE-2024-38217 has been exploited for six years and allows for security feature bypass [9]. The vulnerabilities were actively exploited since 2018 and were fixed in the latest Patch Tuesday updates [9]. The vulnerabilities include remote code execution and elevation of privileges flaws [9]. The Mark of the Web Security Feature Bypass flaw allows specially crafted LNK files to execute commands without warning [9]. Security training for developers varies from monthly to annually [9], with some receiving no formal training [9]. CVE-2024-38226 is a zero-day vulnerability in Microsoft Publisher [1] [4], allowing attackers to bypass security features [1] [5]. CVE-2024-38217 is another zero-day flaw affecting Office [1], with exploit code available on GitHub [1]. CVE-2024-38014 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], an elevation of privilege bug in Windows Installer [1] [5] [8], is also actively exploited [1].

Conclusion

Immediate patching is necessary to prevent potential attacks from the vulnerabilities addressed in the September 2024 Patch Tuesday update. Security training for developers should be prioritized to mitigate future vulnerabilities. The availability of exploit code for some vulnerabilities highlights the importance of proactive security measures.

References

[1] https://krebsonsecurity.com/2024/09/bug-left-some-windows-pcs-dangerously-unpatched/
[2] https://www.tomsguide.com/computing/online-security/windows-security-alert-79-flaws-including-4-actively-exploited-zero-days-leave-users-exposed
[3] https://www.helpnetsecurity.com/2024/09/10/cve-2024-38217-cve-2024-43491/
[4] https://www.techrepublic.com/article/patch-tuesday-september-24/
[5] https://www.darkreading.com/application-security/microsoft-discloses-4-zero-days-in-september-update
[6] https://zerosecurity.org/2024/09/microsoft-addresses-critical-zero-day-vulnerabilities-cve-2024-43491/
[7] https://thehackernews.com/2024/09/microsoft-issues-patches-for-79-flaws.html
[8] https://www.infosecurity-magazine.com/news/microsoft-fixes-four-actively/
[9] https://securityboulevard.com/2024/09/patch-tuesday-september-2024-richixbw/
[10] https://blog.talosintelligence.com/microsoft-patch-tuesday-september-2024/
[11] https://redmondmag.com/Articles/2024/09/10/Microsoft-Sept-Nearly-80-Patches.aspx