Microsoft’s September Patch Tuesday: A Patchwork of Urgency with 4 Zero-Days Under Attack
This September’s edition of Microsoft’s Patch Tuesday addresses 79 vulnerabilities, including 6 critical and 71 important severity issues. Among these, four zero-day vulnerabilities were actively exploited in the wild, posing immediate risks to users and enterprises. The updates span across multiple software components, including Microsoft Office, Windows Hyper-V, Windows DHCP Server, Microsoft Streaming Service, and more, marking another essential cycle for securing systems.
Key Zero-Day Fixes in September 2024
Several zero-day vulnerabilities patched this month have been targeted by cybercriminals, with the Cybersecurity and Infrastructure Security Agency (CISA) urging users to update systems before October 1, 2024. Here’s a closer look at the most concerning zero-day vulnerabilities:
CVE-2024-38014: Windows Installer Elevation of Privilege Vulnerability
A vulnerability in Windows Installer allows attackers to gain SYSTEM privileges, enabling them to control the entire system. Windows Installer, a crucial OS component, has been part of Windows since 2000 and is widely used for software installations. Exploitation of this flaw grants attackers full control, making it one of the most dangerous vulnerabilities this month. CISA has confirmed its active exploitation, urging users to patch promptly.
CVE-2024-38217: Windows Mark of the Web Security Feature Bypass
The Mark of the Web (MoTW) identifies downloaded files from the internet, flagging potentially unsafe content. A flaw in this feature allows attackers to bypass these safeguards, exposing users to malicious files that could execute harmful code. By convincing a user to download a file from an attacker-controlled server, hackers can bypass MoTW protections, a vulnerability actively exploited according to CISA.
CVE-2024-38226: Microsoft Publisher Security Features Bypass
Microsoft Publisher, used in industries requiring professional publication designs, was found vulnerable to a security bypass that allows attackers to circumvent Office macro policies. This enables attackers to execute malicious files typically blocked by these policies, putting Publisher users at significant risk.
CVE-2024-43491: Microsoft Windows Update Remote Code Execution Vulnerability
This flaw in the Windows Servicing Stack enables remote code execution, allowing attackers to execute arbitrary code on affected systems. Notably, this impacts Windows 10 version 1507, with a rollback of previous fixes affecting Optional Components. Systems that have installed the March 2024 update (KB5035858) or subsequent patches are vulnerable. CISA has confirmed that this vulnerability is being actively exploited.
Critical Severity Vulnerabilities
In addition to the zero-day exploits, Microsoft also patched several critical vulnerabilities, with Remote Code Execution (RCE) and Elevation of Privilege (EoP) dominating the list.
CVE-2024-38018: Microsoft SharePoint Server RCE
Microsoft SharePoint, a platform for sharing files and managing resources, faced a significant RCE vulnerability. This vulnerability allows an authenticated attacker to remotely execute malicious code by exploiting SharePoint Server with minimal permissions. Given SharePoint’s popularity in business environments, this flaw presents an attractive target for cybercriminals.
CVE-2024-38119: Windows NAT RCE
A vulnerability in Windows Network Address Translation (NAT) allows attackers to exploit a race condition to perform remote code execution. Although the attack requires access to a restricted network, its potential to compromise critical systems makes it a severe risk.
CVE-2024-43464: Microsoft SharePoint Server RCE
Another serious flaw in SharePoint Server involves the deserialization of specially crafted files. With Site Owner permissions, attackers can upload malicious files and trigger arbitrary code execution, putting enterprise SharePoint environments in jeopardy.
Other Important Vulnerabilities
While the critical vulnerabilities get the spotlight, this month’s Patch Tuesday also addresses several Elevation of Privilege (EoP) and Denial of Service (DoS) vulnerabilities that, while not as immediately dangerous, still pose serious risks if left unpatched.
One such vulnerability, CVE-2024-38194, affects Azure Web Apps, allowing attackers to exploit an improper authorization flaw and gain elevated privileges. Given the widespread use of Azure Web Apps in cloud environments, this issue could lead to broader breaches if exploited in large-scale attacks.
Call to Action
The September 2024 Patch Tuesday represents a critical update cycle for Microsoft users. With four zero-day vulnerabilities actively exploited and a range of critical and important severity flaws, timely patching is essential. Organizations are advised to prioritize the fixes for Windows Installer, Mark of the Web, Microsoft Publisher, and Windows Update, all of which are under active attack.
