September 2024 Patch Tuesday: Microsoft Addresses 4 Actively Exploited Zero-Days
Microsoft rolled out fixes for 79 vulnerabilities, 4 of which have been categorized as zero-day. Seven bugs are rated critical, 71 are rated important, and one is rated moderate. Here’s what you need to know.
To many IT professionals, the second Tuesday of the month is known as Patch Tuesday because Microsoft releases its monthly security update. This week, the company addressed and released fixes for 79 vulnerabilities. Four zero-day issues that are actively exploited are included in this update, including one that was previously disclosed.
The September Patch Tuesday release is slightly smaller than last month’s update, which identified 90 vulnerabilities. This month’s update addresses mainly elevation of privilege (38%) and remote code execution (29%) vulnerabilities.
September 2024 Patch Tuesday Zero-Day Vulnerabilities
Actively Exploited
- CVE-2024-38014 is a vulnerability in Windows Installer that allows for the elevation of privilege and could allow an attacker to gain system privileges. It ranks high in severity with a CVSS score of 7.8.
- CVE-2024-38217 is a security bypass vulnerability in the Windows Mark of the Web feature that allows an attacker to evade defenses against content downloaded from the Internet. It could prevent the user from seeing a security warning or the option to enable macros. It ranks medium in severity with a CVSS score of 5.4. This exploit has already been publicly disclosed and may have been actively exploited since 2018.
- CVE-2024-38226 is a security bypass vulnerability that allows an attacker to bypass the macro policies of Microsoft Publisher. The victim must first download and open a malware-laced file for an attack to be successful. This vulnerability ranks high in severity with a CVSS score of 7.3
- CVE-2024-43491 is a critical vulnerability in Windows Update that allows for remote code execution. A vulnerability in the Servicing Stack inadvertently rolled back fixes for vulnerabilities addressed in earlier updates. This vulnerability has a CVSS score of 9.8, making it critical. Customers who apply manual updates must ensure they install both the servicing stack update (KB5043936) and the Patch Tuesday security update (KB5043083).
September 2024 Patch Tuesday Critical Vulnerabilities
The September 2024 Patch Tuesday update contains seven critical vulnerabilities, one of which is a zero-day and addressed above. Microsoft recommends that users immediately apply updates for critical vulnerabilities. The September vulnerabilities impact Azure, Microsoft Office SharePoint, Windows Network Address Translation (NAT), and Windows Update.
Azure Stack
CVE-2024-38216
CVE-2024-38220
Exploit: An attacker could gain unauthorized access to system resources and perform actions with the same privileges as the compromised process. If the privileges are high enough, the attacker may be able to move about the network and compromise additional resources.
Azure Web Apps
CVE-2024-38194
Exploit: An attacker can authenticate correctly and exploit insufficient validation in Azure Web Apps to elevate network privileges.
Microsoft Office SharePoint
Exploit: Both vulnerabilities allow for remote code execution on SharePoint Server. CVE-2024-38018 allows an attacker with Site Member permissions to execute code remotely during a network-based attack. CVE-2024-43464 allows an attacker with Site Owner permissions to inject and execute code the system assumed was safe from modification.
Windows Network Address Translation (NAT)
CVE-2024-38119
Exploit: An attacker who has already gained access to a restricted network may be able to use previously freed memory to execute code remotely.
Windows Update
CVE-2024-43491
Exploit: This isn’t an exploit per se but a correction to an unintentional rollback of previous fixes. According to Microsoft, for anyone who “installed any of the previous security updates released between March and August 2024, the rollbacks of the fixes for CVEs affecting Optional Components have already occurred.”
September 2024 Patch Tuesday Breakdown
The vulnerability categorization for September 2024 Patch Tuesday is as follows:
- 30 Elevation of Privileges (EoP)
- 23 Remote Code Execution (RCE)
- 11 Information Disclosure
- 8 Denial of Service (DoS)
- 4 Security Feature Bypass (SFB)
- 2 Spoofing
- 1 Cross-Site Scripting
Microsoft’s Security Response Center has a complete list of vulnerabilities, including the CVE number, base CVSS score and vectors, potential for exploitability, and more.
